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About This Guide 


Introduction 


The purpose of this documentation is to describe how to install the components 
of Novell® BorderManager™ Enterprise Edition 3.5, and how to perform basic 
software setup and configuration. In addition, this documentation refers you to 
specific online documents for more information. 


The audience for this documentation is experienced network administrators. 
This documentation is not intended for users of the network. 


User Comments 


We are continually looking for ways to make our products and our 
documentation as easy to use as possible. 


You can help us by sharing your comments and suggestions about how our 
documentation could be made more useful to you and about inaccuracies or 
information gaps it might contain. 


Submit your comments by using the User Comments form provided with the 
online documentation or by writing to us directly at the following address: 


Novell, Inc. 

Documentation Development MS PRV-C231 
122 East 1700 South 

Provo, UT 84606 USA 


We appreciate your comments. 
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chapter 


Note 


Installing Novell BorderManager 


This chapter provides instructions for installing the Novell® BorderManager™ 
software and contains the following sections: 


“System Requirements” on page 2 

“Upgrading” on page 4 

“Documenting Your Environment” on page 5 

“Installing Novell BorderManager on a NetWare 5 Server” on page 5 


“Installing Novell BorderManager on a NetWare 4.11 or Later Server” 
on page 8 


“Installing the Novell Client Software” on page 13 

“Installing NetWare Administrator Snap-In Modules” on page 14 
“Setting Up Login Policies” on page 15 

“Installing Cyber Patrol” on page 17 

“BorderManager Documentation” on page 18 


“Where to Go from Here” on page 19 


This chapter describes the tasks required to install an initial implementation of 
BorderManager software. For planning and conceptual information about the 
services that comprise the BorderManager software suite, refer to Novell 
BorderManager Enterprise Edition 3.5 Overview and Planning, available in the 
online documentation. Make sure you understand this information before setting 
up and configuring the various services included in the BorderManager suite. 
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System Requirements 


Novell® BorderManager™ is installed on a NetWare® server and is 
administered using NetWare Administrator from a client Windows 95*, 
Windows 98*, or Windows NT* workstation. Review the following 
requirements to ensure that your server and client environments meet the 


installation prerequisites. 


Server Requirements 


Table 1-1 


For Installing on NetWare 5 





Server Hardware 


Server Software 





PC with a Pentium* or later processor 
Minimum of 128 MB of RAM 


Minimum of 60 MB of disk space, with 
an additional 40 MB available during 
installation 


500 MB of disk space to support caching 
services 


VGA or higher-resolution monitor 
(SVGA recommended) 


PS/2* mouse (recommended) to support 
the Java* interface 


CD-ROM drive that can read ISO 9660 
formatted disks 





2 Installation and Setup 


NetWare 5™ 


Note: For NetWare 5 MLA servers, you 
must have a server-based license on the 
target server. 


NDS™ read/write replica 
Support Pack 2 or later 


Novell Licensing Service (NLS) Kit 
(installed automatically with NetWare 5) 


Table 1-2 


For Installing on NetWare 4.11 or Later 


Note 








Server Hardware Server Software 
PC with a Pentium or later processor NetWare 4.11 or later 
Minimum of 128 MB of RAM NDS read/write replica 


Minimum of 60 MB of disk space, with an Support Pack 6 or later 
additional 40 MB available during 


installation Novell Licensing Service (NLS) Kit 


(included with Support Pack 6) 
500 MB of disk space to support Proxy 


Services TCP/IP network interface bound and 


configured 
CD-ROM drive that can read ISO 9660 
formatted disks 





Because BorderManager is a Novell Licensing Services (NLS)-enabled 
application, the first BorderManager server installed into a tree or partition must 
be installed on a NetWare server that holds an NDS read/write replica of that 
partition. All BorderManager servers installed into the same partition at a later 
time are not required to have a read/write replica. Refer to “Adding an NDS 
Replica” on page 147 for details. 


If your server does not meet the software requirements, refer to Appendix A, 
“Meeting the Prerequisites,” on page 145. 
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Client Requirements 


Upgrading 








Client Hardware Client Software 
Windows 95 and Windows 98 Windows 95, Windows 98, or Windows 
NT 


486 processor or later 
Netscape Navigator" 4.04 or later 
Minimum of 28 MB of free disk space 
Minimum of 16 MB of RAM 
Windows NT 
486 processor or later 


Minimum of 12 MB of free disk space 


Minimum of 16 MB of RAM 





Novell® BorderManager™ can be installed as an upgrade to Novell 
BorderManager 3. Novell BorderManager installation will preserve the 
existing server configuration, with the exception of the Virtual Private Network 
(VPN). Refer to “Upgrading VPN from a Previous Version” on page 108 for 
details on upgrading a VPN configuration. 


During installation, if you elect to secure the public interfaces of your Novell 
BorderManager server, a set of default filters will be configured. When you 
perform an upgrade installation, the existing filters are retained and the default 
filters are added to the filter list. 


Login policies establish user access to BorderManager services. In 
BorderManager version 3.5, login policies are stored in NDS in the Login 
Policy object. Previous versions of BorderManager use hardcoded default 
policies. If you want to manage login polices for your all BorderManager 
services from NDS using the Login Policy object, you should upgrade previous 
versions of BorderManager to BorderManager version 3.5 and create the 
appropriate policies. Refer to “Setting Up Login Policies” on page 15 for 
further information. 


4 Installation and Setup 


Documenting Your Environment 


Review the following list of items and record information as required to 
complete the installation: 


DU Location of license diskettes or path to the license file 
Server IP address 
Public and private interfaces and their IP address bindings 


Domain Name System (DNS) domain name 


0000 


IP addresses for up to three DNS name servers on the network 


Installing Novell BorderManager on a NetWare 5 Server 


To install Novell® BorderManager™ on the server, complete the following 
steps: 


1. If you have not already done so, install the NetWare 5™ Support 
Pack 2 or later software on your server. 


Refer to “Installing Support Pack Software” on page 148. 


2. Enter the following at the server console to restart the server 


SERVER 


3. Insert the BorderManager Enterprise Edition CD-ROM into the 
CD-ROM drive. 


4. At the server console, enter 


CDROM 


5. Ifthe GUI is not already loaded, enter 
STARTX 


If STARTX was already loaded, press Cntrl-Esc and select the X-Server 
Graphical Console. 
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10. 


11. 


12. 


Installation and Setup 


Click the Novell logo, then select Install to display the currently 
installed products. 


Click New Product, then replace the default A:\ path with the path 
to the root of the BorderManager CD-ROM drive or Browse to the 
root of the CD-ROM drive. Verify the source path and click OK. 


NetWare 5 reads the CD-ROM drive as a volume. The CD-ROM drive 
label is BMEE35_DES (for the 56-bit encryption version) or 
BMEE35_3DES (for the 128-bit encryption version). 


From the Welcome window, click Next. 


Read the license agreement. If you accept the terms of the 
agreement, click I Accept. 


Check the check box for each BorderManager service you want to 
install. 


To install the license now, insert the Novell BorderManager 
Enterprise Edition License diskette and enter the path to the license 
(for example A:\) and click Next. Otherwise, check the Skip License 
Install check box and click Next. 


Valid licenses are located on the diskette in the root directory. Trial 
licenses are located on the CD-ROM in the \LICENSE directory. You can 
install the system files without installing the license; however, 
BorderManager will not load until a valid or trial license is installed. For 
information on how to install the licenses at a later time, refer to 
Appendix B, “Installing License Certificates,” on page 153. 


At the prompt, log in to the NDS™ tree with a fully distinguished 
name (with administrative rights). 


You must have administrative rights or the security equivalent at the root 
of the NDS tree. This requirement applies to any user who is a trustee 
with Supervisor rights at a container at the same level as the server. 
Administrative rights are required to extend the NDS schema, install 
product licenses, and configure IP addresses for the interface cards. 


13. 


14. 


15. 


16. 


If you are installing BorderManager firewall/caching services or 
BorderManager VPN services, review the list of network interfaces 
and their IP bindings. Specify each interface as public, private, or 
both. If you are installing only BorderManager Authentication 
Services, this screen will not appear; skip to Step 14. 


For both firewall/caching and VPN services, you must specify a public 
IP address to use with BorderManager to secure your network border. 
Public IP addresses specify server interfaces to a public network, 
typically the Internet. Private IP addresses specify server interfaces to a 
private network, or intranet. 


13a. Specify a public IP address. 


Specifying an interface as public activates the Set Filters to Secure 
All Public Interfaces check box. Check this check box to set 
default IP and IPX™ filters for public interfaces. If this is an 
upgrade, existing filters are preserved. 


13b. Specify a private IP address. 


Specifying an interface as private activates the HTTP Proxy for All 
Private Interfaces check box. Check this check box to enable 
Internet access from a Web browser. 


e Ifyou did not enable the HTTP Proxy for All Private Interfaces 
check box, continue with Step 14. 


e If you enabled the HTTP Proxy for All Private Interfaces 
check box, access control is enabled by default. Access control 
enforces additional security by denying all traffic. Access 
control rules can be set using the NetWare® Administrator 
utility. Access rules are used to allow or deny access from any 
source or to any destination. Refer to Chapter 7, “Setting Up 
Access Control,” on page 115 for more information. 


13c. Click Next. 

Enter a unique DNS domain name for your network, then click Next. 
Click Add to enter at least one or up to three DNS server IP 
addresses. Click the Up-arrow and Down-arrow to modify the search 
order, then click Next. 

Review the list of products to be installed. Click Finish if you are 


done or click Back to return to previous windows and modify your 
selections. 


Chapter 1: Installing Novell BorderManager 7 


17. 


Do one of the following: 
N Click Readme to view the Readme file. 
° Click Reboot to complete the installation and restart the server. 


° Click Close to complete the installation and return to the GUI 
screen. 


Installing Novell BorderManager on a NetWare 4.11 or Later 
Server 
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To install Novell® BorderManager™ on the server, complete the following 


steps: 


1. 


Installation and Setup 


If you have not already done so, install the Netware® 4 Support Pack 
6 or later software on your server. 


Refer to “Installing Support Pack Software” on page 148. 


If you have not already done so, configure and load TCP/IP on your 
server. 


Refer to “Configuring TCP/IP” on page 150. 


Insert the BorderManager Enterprise Edition CD-ROM into the 
CD-ROM drive. 


At the server console prompt, enter 


LOAD INSTALL 
From the Installation Options menu, select Product Options. 


From the Other Installation Actions menu, select Install a Product 
Not Listed. 


Press F3 and replace the default A\: path with the path to the root 
of the BorderManager CD-ROM. 


Most Netware 4 servers can allow you to access the CD-ROM using the 
D:\ drive name. In this case, you can enter the path as D:\. If you mounted 
the CD-ROM, the path is BMEE35_DES:\ (for the 56-bit encryption 
version) or BMEE35_3DES:\ (for the 128-bit encryption version). 


10. 


11. 


12. 


13. 


Select Continue and Access the CD-ROM, then press Enter. 
Press Enter to continue the installation. 


Select the product components to install, press F10, then press Enter. 
The following prompt is displayed: 
Install routing configuration files to <<server_name>>? 


During BorderManager installation, software required by Novell 
BorderManager to support routing capabilities is installed on your 
system. 


You can use routing configuration files to configure routing on multiple 
servers without having to perform all the configuration steps on each 
server. 


You can create routing configuration files using the NIASCFG utility. 
More information about creating and exporting routing configuration 
files is located in the NetWare 5™ online documentation at the following 
path: 


Contents > Connectivity Services (under Network Services heading) > 
Routing Configuration > Configuring Router Management > Export 
Configuration. 


If you do not want to install routing configuration files at this time, 
or you do not have routing configuration files, skip to Step 13. 


If you want to install a previously created routing configuration file 
on this server, do the following: 


12a. Select Yes and press Enter. 


12b. Insert the diskette with the routing configuration file, then 
specify the correct path, if necessary. 


12c. Press Enter to copy the routing configuration file, then skip to 
Step 14. 


The NIAS Installation Complete menu is displayed. 


To continue the installation without installing a routing 
configuration file, select No and press Enter. 


The NIAS Installation Complete menu is displayed. 
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14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


Installation and Setup 


Press Enter to continue the installation. 


At the prompt, log in to the NDS™ tree with a fully distinguished 
name (with administrative rights), then press Enter. 


You must have administrative rights or the security equivalent at the root 
of the NDS tree. This requirement applies to any user who is a trustee 
with Supervisor rights at a container at the same level as the server. 
Administrative rights are required to extend the NDS schema, install 
product licenses, and configure IP addresses for the interface cards. 


Verify the context in which you want to install the license and the 
path to the license, enter the correct context and path, then press 
Enter. 


Valid licenses are located on the diskette in the root directory, so the path 
would be A:\.Trial licenses are located on the CD-ROM under 
D:\LICENSE. If you mounted the CD-ROM, the path is 
BMEE35_DES:\LICENSE (for the 56-bit version) or 
BMEE35_3DES:\LICENSE (for the 128-bit version). 


If prompted, insert the Novell BorderManager Enterprise Edition 
License diskette, then press Enter. 


At the License Install Results window, press Enter to continue. 
At the BorderManager Install Complete window, press Enter. 


From the Other Installation Actions menu, select View/Configure/ 
Remove Installed Products, then press Enter. 


The Currently Installed Products list appears with an entry for each of the 
products that you installed. Verify that all the products (BorderManager, 
NIAS, and SAS/PKI) were installed successfully. The Support Pack 
should also be listed as installed. 


Press Esc three times and select Yes to exit the installation program. 


22. 


23. 


Enter the following commands to restart the server: 
DOWN 
RESTART SERVER 


When the server is restarted, it automatically loads an initial filter 
configuration program (BRDCFG.NLM) for BorderManager. This 
program prompts you to set up BorderManager for secure access to the 
public network with packet filtering. 


Public IP addresses specify server interfaces to a public network, 
typically the Internet. Because public IP address interfaces are a security 
risk, we recommend that you select Yes and secure access. This sets up 
default packet filtering, and all traffic from any port, from any source, 
and to any destination is denied except services on the exception list. The 
default exception list allows Proxy Services, VPN, and Novell IP 
Gateway traffic. To allow any other access to your network, you must 
explicitly define access rules to allow access. 


If you select No, no packet filtering is set up, and all traffic from any port, 
from any source, and to any destination is allowed. To secure your 
network, you must explicitly define access rules to deny access. Refer to 
Chapter 2, “Setting Up Packet Filters,” on page 25, and Chapter 7, 
“Setting Up Access Control,” on page 115 for more information. You can 
run the BRDCFG.NLM utility again at a later time to change your initial 
packet filtering configuration. 


If you want to secure access, select Yes and press Enter. If you do not 
want to secure access, skip to Step 24. 


If the DNS Resolver has not been configured, you are prompted to load 
the Internetworking Configuration utility (INETCFG). Use INETCFG 
and complete the following substeps to configure the DNS Resolver: 


23a. At the load INETCFG prompt, select Yes and press Enter. 


23b. From the Internetworking Configuration menu, select 
Protocols > TCP/IP > DNS Resolver Configuration. 


23c. Specify the domain name for the server and the IP address of 
at least one DNS name server within the specified domain, then 
press Esc twice. 


23d. When prompted to update the TCP/IP configurations, select 
Yes and press Enter. 
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24. 


25. 
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23e. 


23f. 


23g. 


23h. 


23i. 


23j. 


Press Esc twice and select Yes to exit INETCFG. 


A filter configuration options window is displayed, allowing you 
to set or configure filters. 


Select Set Filters on Public Interface and press Enter. 


A list of interfaces and corresponding IP addresses found on your 
server is displayed. 


Select the address that corresponds to your public interface 
and press Enter. 


A warning message indicating that all IP and IPX™ traffic will be 
blocked is displayed. 


Select Continue and press Enter. 

A message indicating that IP filters have been added is displayed. 
Press Enter to continue. 

A message indicating that IPX filters have been added is displayed. 


Press Enter to continue, exit the filter configuration utility and 
skip to Step 25. 


If you do not want to secure access, select No and press Enter. 


If the DNS Resolver has not been configured, you are prompted to load 
INETCFG. Use INETCFG to complete the following substeps to 
configure the DNS Resolver: 


24a. 


24b. 


24c. 


24d. 


24e. 


At the load INETCFG prompt, select Yes and press Enter. 
Select Protocols > TCP/IP > DNS Resolver Configuration. 


Specify the DNS domain name for the server and the IP 
address of at least one DNS name server within the specified 
domain, then press Esc twice. 


When prompted to update the TCP/IP configurations, select 
Yes and press Enter. 


Press Esc twice and select Yes to exit INETCFG. 


At the console prompt, enter 


REINITIALIZE SYSTEM 


Installing the Novell Client Software 


The Novell Client™ software provides access to Novell® BorderManager™ 
from Windows 95, Windows 98, and Windows NT workstations. All client 
workstations on your network, including your administrative workstation, 
should be upgraded to the current version of the Novell Client. Also, to support 
the Novell IP Gateway, you must install the Novell IP Gateway client 
component on all client workstations. 


The Novell Client setup utility installs the Novell Client software and the 
Novell IP Gateway client component. When you use this utility, you can select 
the client you want to install from a list of available clients. 


To install the Novell Client software, complete the following steps: 


1. 


Insert the Novell Client CD-ROM. 


If the Novell Client setup utility does not start automatically, run 
WINSETUP.EXE from the Products directory. 


Click a language for the installation, click the Windows* client 
platform you want to install, then click Install Novell Client. 


Select Typical or Custom installation, then click Next. 


If the client requires Novell IP Gateway access, you must select Custom. 


If you selected Custom, complete the following substeps: 

4a. Check the Novell IP Gateway check box and click Next. 

4b. Select the protocol that the client will use. 

4c. Click Next and follow the on-screen instructions until you click 
Finish. 

When prompted, restart your workstation. 


When your workstation restarts, you are prompted to enter the client's 
preferred gateway server. If you have not enabled the Novell IP Gateway 
services, uncheck the Enable Gateway check box or select Disable 
Gateway (Windows 3.1 clients only). 


For the procedure to enable Novell IP Gateway services, refer to 
Chapter 4, “Setting Up the Novell IP Gateway,” on page 45. 
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NetWare® Administrator snap-in modules allow you to enable, configure, and 
manage Novell® BorderManager™ components, such as Proxy Services, the 
Novell IP Gateway, VPN, BorderManager Authentication Services, and access 
control. 


The BorderManager installation utility installs the 32-bit client NetWare 
Administrator snap-in modules on the server. If you installed BorderManager 
on a NetWare 5 or NetWare 4.2 server, you do not need to install the NetWare 
Administrator snap-ins modules to administer BorderManager services. You 
may administer your BorderManager servers by running NWADMN32.EXE 
from the server’s SYS:\PUBLIC\WIN32 directory. 


If you installed BorderManager on a NetWare 4.11 server, you must install the 
NetWare Administrator snap-ins modules to NetWare Administrator 
(NWADMN9S5.EXE or NWADMNNT.EXE) before you can administer your 
BorderManager servers. 


If you prefer to manage your BorderManager servers and other NDS objects 
from a single, centralized adminstrative console, you must install the NetWare 
Administrator snap-in modules to the desired NetWare Administrator 
workstation deployed in your network. 


To install the snap-in modules, complete the following steps: 


1. Launch the version of NetWare Adminstrator to which you want to 
install the snap-in modules, verify that it is working properly, then 
exit the utility. 


2. From your administrator workstation, map a drive to the SYS: 
volume of the BorderManager server and launch the Novell 
BorderManager Setup program (SETUP.EXE). 


The BorderManager SETUP.EXE program is located on the server in the 
path SYS:\PUBLIC\BRDRMGR\SNAPINS. 


3. Follow the instructions provided by the installation wizard. 


During the snap-in module installation, you are prompted for the location 
of your administrator files. Usually, adminstrator files are located on 
SYS: volume of the server in the \PUBLIC\WIN32, \PUBLICWIN95S. or 
\PUBLIC\WINNT directories. If you want to install the BorderManager 
snap-in modules into a centralized NetWare Administrator 32 location, 
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specify the directory where your centralized NWADMN32.EXE resides 
(for example, SYS:\PUBLIC\WIN32). If you are using NetWare 
Adminstrator 95 to administer your network, specify the directory where 
NWADMN9S.EXE resides (for example, SYS:\PUBLIC\WIN9S). If you 
are using NetWare Adminstrator NT to administer your network, specify 
the directory where NWADMNNT.EXE resides (for example, 
SYS:\PUBLIC\WINNT) . 


4. After the snap-in modules are installed, exit the installation wizard. 


5. Ifyou use NetWare Administrator 95 to administer NetWare 4.11 or 
4.12 servers, run the following files to modify the workstation's 
registry: 


SYS:\PUBLIC\PKIS_4.REG 
SYS:\PUBLIC\WIN9S\NLSMGR95.REG 


6. Ifyou use NetWare Administrator NT to administer NetWare 4.11 or 
4.12 servers, run the following file to modify the workstation's 
registry: 


SYS:\PUBLIC\PKIS_4.REG 
SYS:\PUBLIC\WINNT\NLSMGRNT.REG 


Setting Up Login Policies 


Note 


All users logging in to services through Novell® BorderManager™ must be 
authenticated. The type of authentication required for a user to log in and 
access network services through BorderManager is stored in NDS™ in a Login 
Policy object. Because of this, you must set up a generic login policy to enable 
users to access BorderManager services. Until a policy is set up, no user access 
will be allowed. There can be only one Login Policy object in an NDS tree. 
This object holds the login policies for all BorderManager servers and services 
in the tree. 


The policies stored in the Login Policy object apply only to BorderManager 
version 3.5 services. Previous versions of BorderManager use hardcoded 
default policies.To manage login polices for all BorderManager services using 
the Login Policy object, you must upgrade previous versions of BorderManager 
to BorderManager version 3.5. 
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To create a Login Policy object and set up generic policy rules that allow users 
to access network services through each of the various BorderManager services 
with an NDS password, complete the following steps: 


1. 


10. 
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In NetWare® Administrator, select the Security container object in 
your NDS tree. 


The Login Policy object can only be created in the Security container 
object. The Security container is located under [Root]. 


From the Object menu, click Create > Login Policy > OK. 
To configure a login policy rule, click Rules > Add. 


To configure a rule for BorderManager Authentication Services, 
select the Distinguished name radio button from the Service Type 
dialog box, browse to select the Dial Access System object associated 
with that service, then check the Enabled check box. 


If this is a new installation of BorderManager Authentication Services, 
you will need to create a Dial Access System object. Refer to “Creating 
a Dial Access System Object” on page 129 for more information. 


Select the Users tab, define a label to identify the list of users you will 
be enabling, then browse to select the user, group, or container 
objects to enable access. 


Select the Methods tab, click Add, then check the Authentication 
Method enabled check box. 


In the Method Types dialog box, check NDS Passwords. 


In the Method Enforcement dialog box, check Mandatory, then click 
OK. 


To configure a rule for Proxy Services, select the Predefined radio 
button from the Service Type dialog box, select Proxy, check the 
Enabled check box, then complete Step 5 through Step 8. 


To configure a rule for SOCKS, select the Predefined radio button 
from the Service Type dialog box, select SOCKS, check the Enabled 
check box, then complete Step 5 through Step 8. 


11. To configure a rule for VPN, select the Predefined radio button from 
the Service Type dialog box, select VPN, check the Enabled check 
box, then complete Step 5 through Step 6. 


As NDS passwords are a prerequisite for VPN authentication, you only 
need to define additional method types and enforcement policies if you 
would like users to be authenticated by additional means such as token 
devices. (VPN users are always required to enter their NDS passwords.) 


12. Click OK > OK to exit. 


Installing Cyber Patrol 


Note 


Cyber Patrol* is delivered with Novell® BorderManager™ with a 45-day trial 
subscription. If you plan to create access rules that use Cyber Patrol URL 
categories, you must install the Cyber Patrol NetWare Loadable Module™ 
(NLM™) on the BorderManager server. Cyber Patrol includes the CyberNOT* 
List, a list of Internet sites containing content that is inappropriate or 
counterproductive in the workplace, such as sexually explicit or drug-related 
material. Cyber Patrol for BorderManager also includes the CyberY ES* List of 
educational sites and the Sports and Entertainment list. Cyber Patrol lists are 
updated weekly. 


You can use the Cyber Patrol lists free of charge during the 45-day trial period. 
At the end of the trial period, you can choose to subscribe to Cyber Patrol and 
receive updated lists on an ongoing basis. To subscribe, record your Cyber 
Patrol serial number, which is displayed at the end of the Cyber Patrol 
installation. Call The Learning Company” at 1-508-416-1000 in the U.S., and 
ask for the Novell Partner Account Manager. This is not a toll-free number. 
Provide The Learning Company representative with your Cyber Patrol serial 
number. The representative will provide you with an unlock code to activate the 
Cyber Patrol software. Cyber Patrol pricing is based on the number of users. For 
more information, see the Cyber Patrol Web site at www.cyberpatrol.com/novell. 


To install the Cyber Patrol files, complete the following steps: 


1. From your administrator workstation, map a drive to the server 
SYS: volume. 


2. From your workstation, run the Cyber Patrol setup program 
(CP_SETUP.EXE) on the server. 


CP_SETUP.EXE is located in SYS:\ETC\CPFILTER. 


3. Read and accept the license agreement. 
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Enter the drive letter that corresponds to the SYS: volume of your 
BorderManager server and click Proceed. 


Enter only the drive letter without the colon. For example, enter D, 
instead of D:. 


If you are planning to use Cyber Patrol on a 45-day trial period, click 
Save Settings from the Cyber Patrol registration window. 


(Optional) To register Cyber Patrol, click Register and Save. 


Before you click Register and Save, call Cyber Patrol at the number 
provided above, provide the serial number displayed on the screen, and 
enter the information the operator supplies you, including the unlock 
code. 


To load Cyber Patrol automatically every time the server restarts, 
enter the following line at the end of the AUTOEXEC.NCF file in the 
BorderManager server: 


LOAD SYS:ETC\CPFILTER\CPFILTER.NLM 


Make sure that you enter this line at the end of the AUTOEXEC.NCF 
file. All BorderManager modules must have a chance to load before 
CPFILTER.NLM can be loaded. 
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In addition to Novell® BorderManager™ Enterprise Edition 3.5 Installation 
and Setup, further documentation for the Novell BorderManager product is 
available in the online documentation at 


www.novell.com/documentation 


Web delivery of the online documentation provides convenient access to the 
most up-to-date documentation available. The online documentation includes 
the following: 


Installation and Setup 


Overview and planning—Provides an overview of the Novell 
BorderManager services that you use to successfully manage your 
network borders, discusses the requirements for managing and 
controlling access to a network border, and includes detailed descriptions 
of each BorderManager service. 


N Packet filtering—Provides advanced setup, configuration, and 
management tasks for BorderManager packet filtering. 


N Network Address Translation (NAT)—Provides advanced setup, 
configuration, and management tasks for BorderManager NAT. 


N Novell IP Gateway—Provides advanced setup, configuration, and 
management tasks for the Novell IP Gateway. 


N Proxy Services—Provides advanced setup, configuration, and 
management tasks for the Proxy Services. 


N Virtual Private Networks (VPN)—Provides advanced setup, 
configuration, and management tasks for the VPN, as well as detailed 
configuration examples. 


N Access control—Provides advanced setup, configuration, and 
management tasks for access control of the application proxies, Novell 
IP Gateway, and VPN clients. 


N BorderManager Authentication Services—Provides advanced setup, 
configuration, and management tasks for the BorderManager 
Authentication Services. 


Where to Go from Here 


Note 


The following table lists the default settings for each component service 
provided by Novell® BorderManager™, and provides references to the 
BorderManager documentation for more information. 


If you upgraded your server, your existing server configuration, with the 
exception of your VPN configuration, was preserved. 
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Table 1-3 
Default Configuration on NetWare 5 





Service 


Default Setting 


Configuration Information 





Packet filters 


Network Address 
Translation (NAT) 


Novell IP Gateway 


Proxy Services 
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If you checked the Set Filters 
to Secure All Public 
Interfaces check box during 
installation, the public 
interface is set to deny all 
access, with the exception of 
VPN, Proxy Services, and the 
Novell IP Gateway. 


If you did not check the Set 
Filters to Secure All Public 
Interfaces check box during 
installation, no filters are set. 


If this is an upgrade, existing 
filters are preserved. 


Disabled. All incoming and 
outgoing packets are passed 
without translation or 
modification to the address or 
port. 


Disabled. The IPX/IP 
gateway, IP/IP gateway, and 
SOCKS gateway services are 
disabled. 


If you checked the HTTP 
Proxy for All Private 
Interfaces check box during 
installation, Internet access 
from a Web browser is 
enabled. 


If you did not check the 
HTTP Proxy for All Private 
Interfaces check box during 
installation, Internet access 
from a Web browser is not 
enabled. 


Refer to Chapter 2, “Setting 
Up Packet Filters,” on 
page 25. 


For a detailed list of default 
filters, refer to Novell 
BorderManager Enterprise 
Edition 3.5 Overview and 
Planning in the online 
documentation. 


Refer to Chapter 3, “Setting 
Up NAT,” on page 39. 


Refer to Chapter 4, “Setting 
Up the Novell IP Gateway,” 
on page 45. 


Refer to Chapter 5, “Setting 
Up Proxy Services,” on 
page 63. 


Service 


Default Setting 





Configuration Information 





Virtual Private 
Network (VPN) 


Access control 


BorderManager 
Authentication 
Services 


BorderManager Alert 


Disabled. No default VPN 
connections are set. The 
previous configuration must 
be manually preserved. Refer 
to “Upgrading VPN from a 
Previous Version” on 

page 108 for details. 


Enabled. Access from any 
source to any destination is 
denied. 


No default. You must set up 
an initial configuration using 
NetWare® Administrator. 


Default setting is inherited. 
The alert configuration is 
inherited from a container 
higher in the NDS™ tree. 
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Refer to Chapter 6, “Setting 
Up Virtual Private 
Networks,” on page 87. 


Refer to Chapter 7, “Setting 
Up Access Control,” on 
page 115. 


Refer to Chapter 8, “Setting 
Up Novell BorderManager 
Authentication Services,” on 
page 127. 


Refer to Chapter 9, “Setting 
Up Alert Notification,” on 
page 139. 
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Table 1-4 


Default Configuration for NetWare 4.11 or Later 





Service 


Default Setting 


Configuration Information 





Packet filters 


Network Address 
Translation (NAT) 


Novell IP Gateway 


Proxy Services 
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If you selected Yes to secure 
access to the public network 
with the packet filtering 
option during the installation, 
the public interface is set to 
deny access by filtering all 
packets. You must configure 
exception lists with the 
FILTCFG utility to allow 
specific packet types. 


If you selected No, the public 
interface is set to permit all 
access and does not filter any 
packets. You must configure 
exception lists with the 
FILTCFG utility to filter 
specific packet types. 


Disabled. All incoming and 
outgoing packets are passed 
without any translation or 
modification to the address or 
port. 


Disabled. The IPX/IP 
gateway, IP/IP gateway, and 
SOCKS gateway services are 
disabled. 


Disabled. All Proxy Services 
are disabled, including Web 
client acceleration (standard 
proxy cache), Web server 
acceleration (HTTP 
acceleration), network 
acceleration (ICP 
hierarchical caching), and all 
application proxies (HTTP, 
FTP, FTP Reverse, Mail, 
News, RealAudio*, DNS, 
HTTPS, SOCKS, Generic, 
and Transparent). 


Refer to Chapter 2, “Setting 
Up Packet Filters,” on 
page 25. 


For a detailed list of the 
default filters, refer to Novell 
BorderManager Enterprise 
Edition 3.5 Overview and 
Planning in the online 
documentation. 


Refer to Chapter 3, “Setting 
Up NAT,” on page 39. 


Refer to Chapter 4, “Setting 
Up the Novell IP Gateway,” 
on page 45. 


Refer to Chapter 5, “Setting 
Up Proxy Services,” on 
page 63. 


Service 


Default Setting 





Configuration Information 





Virtual Private 
Network (VPN) 


Access control 


BorderManager 
Authentication 
Services 


BorderManagerAlert 


Disabled. No default VPN 
connections are set. The 
previous configuration must 
be manually preserved. Refer 
to “Upgrading VPN from a 
Previous Version” on 

page 108 for details. 


Disabled. If you enable this 
feature using NetWare® 
Administrator, the access 
control list contains one 
default rule, which denies 
access from any source to any 
destination. 


No default. You must set up 
an initial configuration using 
NetWare Administrator. 


Default setting is inherited. 
The alert configuration is 
inherited from a container 
higher in the NDS™ tree. 
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Refer to Chapter 6, “Setting 
Up Virtual Private 
Networks,” on page 87. 


Refer to Chapter 7, “Setting 
Up Access Control,” on 
page 115. 


Refer to Chapter 8, “Setting 
Up Novell BorderManager 
Authentication Services,” on 
page 127. 


Refer to Chapter 9, “Setting 
Up Alert Notification,” on 
page 139. 
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chapter 


Setting Up Packet Filters 


Packet filters provide Network-layer security to control the types of 
information sent between networks and hosts. Novell® BorderManager™ 
supports Routing Information Protocol (RIP) filters and packet forwarding 
filters to control the service and route information for the common protocol 
suites, including Internetwork Packet Exchange™ (IPX™) software and 
TCP/IP. 

If you chose to secure the public interfaces of your BorderManager server 
during installation, a set of default filters was configured at that time. If you 
performed an upgrade, the existing filters were retained and the default filters 
were added to the filter list. 

The default filters block all traffic through the public interfaces except for the 
traffic being forwarded to and from an enabled BorderManager service. This 
chapter explains the tasks you must complete to configure packet filtering to 
allow additional services to be routed through the BorderManager server. 
This chapter includes the following sections: 

N “Packet Filter Prerequisites” on page 26 

N “Setting Up the Default Filters” on page 26 

N “Setting Up Outbound Packet Filter Exceptions” on page 27 

N “Setting Up Inbound Packet Filter Exceptions” on page 33 

N “Defining Custom Stateful Packet Types” on page 35 

N “Saving Filters to a Text File” on page 36 


° “Enabling Global IP Packet Logging” on page 37 


° “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 37 
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Note This chapter describes the tasks required to set up an initial implementation of 
BorderManager packet filtering. For planning and conceptual information about 
packet filtering, refer to Novell BorderManager Enterprise Edition 3.5 Overview 
and Planning, available in the online documentation. Make sure you understand 
this information before setting up and configuring packet filtering. 


Packet Filter Prerequisites 


Before you begin to configure packet filters for your Novell® 
BorderManager™ server, you should have the following information at hand: 


N Your company security policy 


The security policy should define the communication allowed with 
external sources and between various segments of the corporate intranet. 


N Your current network topology 
You need to know the physical layout of the network components. 


N Information about other firewall components 


You need to know what other security measures are in place (or will be 
in place) so that you do not inadvertently circumvent or disable those 
measures. 


Setting Up the Default Filters 


If you did not choose to secure the public interfaces of Novell® 
BorderManager™ during installation, you can do so at any time. To set up 
default filters, complete the following steps: 


1. At the server console prompt, enter 


LOAD BRDCFG 


2. When prompted, select Yes to configure the set of default filters and 
press Enter. 


3. When prompted to launch INETCFG, select No and press Enter. 


4. From the Filter Configuration Options menu, select Setup filters on 
the Public interface, then press Enter. 


26 Installation and Setup 


5. Select the Public interface from the list and press Enter. 
6. Follow the prompts to enable and configure the default filters. 


The default filter settings block all IPX™ and IP traffic except to and from the 
Novell IP Gateway, Proxy Services, and Virtual Private Networks (VPNs). 
Filter support for both IPX and TCP/IP is automatically enabled when the 
default filters are enabled. 


To manually enable or disable the Filter Support option for the TCP/IP 
protocol, complete the following steps: 


1. At the server console prompt, enter 


LOAD INETCFG 
2. Select Protocols > TCP/IP > Filter Support > Status. 


3. Select Enabled or Disabled and press Enter. 


Note When Filter Support is disabled, the protocol operates as if the filter module is 
not loaded, and no filtering occurs. When Filter Support is enabled, changes to 
the filter configurations take effect immediately without your having to reinitialize 
the server. 


Setting Up Outbound Packet Filter Exceptions 


Because the default filters don't automatically allow certain packet types to 
cross the firewall, you may also need to enable filter exceptions to enable 
services such as Domain Name System (DNS), e-mail, or FTP. 


The system-defined packet types enable you to configure stateful packet filter 
exceptions for the following services: 


N DNS over UDP 


N DNS over TCP 


e FIP 
° Ping 
e  POP3 
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N Simple Mail Transfer Protocol (SMTP) 


V Telnet 
s HTTP 
s HTTPS 


With stateful (dynamic) packet filtering, you only need to define the exceptions 
that allow specific types of outbound traffic going to specific destinations to be 
forwarded by the Novell® BorderManager™ server. Stateful packet filtering 
monitors each connection and creates a temporary (time-limited) filter 
exception for the inbound connection. This allows you to block incoming 
traffic originating from a particular port number and address, while still 
allowing return traffic from that same port number and address. 


Stateful packet filters track the outgoing packets allowed to pass and allows 
only the corresponding response packets to return. When the first packet is 
transmitted to the public network (Internet), a reverse filter is dynamically 
created. To be counted as a response, the incoming packet must be from the 
same host and port to which the outbound packet was originally sent. 


To configure stateful packet forwarding exceptions to forward outbound traffic 
through the BorderManager server, complete the following steps: 


1. At the server console prompt, enter 


LOAD FILTCFG 


2. From the Filter Configuration Available Options menu, select 
Configure Interface Options and press Enter. 


3. Select an interface from the list and press Tab to switch between 
Public and Private. 


Any interface listed can be designated as either a public (external) 
interface or a private (internal) interface. 


4. Press Esc, then select Configure TCP/IP Filters > Packet 
Forwarding Filters. 


The window displayed should appear similar to the following. 
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Figure 2-1 


Packet Forwarding Filters Window 


Status: Enabled 


Action: Deny Packets in Filter List 





5. 


Do the following: 


N If the status is Disabled, press Enter, select Enabled, then press 
Enter again. Any TCP/IP filters previously configured become 
active immediately. 


V If the action is Permit Packets in Filter List, press Enter, select 
Deny Packets in Filter List, then press Enter again. Packets 
matching the types listed in the filter list will not be forwarded by 
the BorderManager server. 


Select Filters and press Enter to display the filter list. 


A default filter set up during installation blocks all inbound IP packets 
coming from the public interface. 


Press Esc. 


Select Exceptions and press Enter to display the exceptions list. 


A default filter exception that is set up during installation allows all 
outbound IP packets to be routed through the public interface. 


Other filter exceptions permit the following inbound packet types 
through the public interface: 


N Secure Sockets Layer (SSL) authentication—TCP port 443. 


N Dynamic TCP—TCP ports 1024 to 65535. 
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N Dynamic UDP—UDP ports 1024 to 65535. 

N VPN master/slave (IPX™/TCP)—TCP port 213. 
N VPN client authentication—TCP port 353. 

N VPN keep-alive—UDP port 353. 


N VPN Simple Key Management for Internet Protocol (SKIP) 
Protocol 57. 


N Web proxy cache (WWW-HTTP)—TCP port 80. 


Note Although the default filter exceptions allow certain VPN-related packets to be 
forwarded, the default VPN exceptions do not allow encrypted packets to be 
routed from one VPN member to another. The filters for the VPN tunnels must 
be updated each time you configure a VPN server. For more information, refer 


to 


“Completing Advanced Setup, Configuration, and Management Tasks” on 


page 37, and Chapter 6, Setting Up Virtual Private Networks on page 87. 


Figure 2-2 


Define Exception Window 


9. Press Ins to define a new outbound packet forwarding filter 


exception. 


The Define Exception window is displayed, similar to the following. 
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Source Interface Type: 


Source Interface: 
Source Circuit: 


Interface — | 
3C904_1 <Private>?) 


Destination Interface Type: Interface 
Destination Interface: NE2000 ¢Public> 
Destination Circuit: 


Packet Type: 
Src Ports): 
ACK Bit Filtering: 


Src Addr Type: 

Src IP Address: 
Dest Addr Type: 
Dest IP Address: 


Logging: 
Comment: 


ftp-both-st Protocol: TCP 
1624-65535 Dest Ports): 21 
Disabled Stateful Filtering: Enabled 
Any Address 

Any Address 


Disabled 
Outbound FTP <both PORT & PASU> filter rule. 





10. Select Source Interface Type and press Enter. 


11. Select Interface or Interface Group and press Enter. 
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12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


Select Source Interface and press Enter. 


Select the BorderManager server's private interface or interface 
group and press Enter. 


If you selected a WAN interface in Step 13, select Source Circuit and 
press Enter to define the following circuit information that applies to 
the interface: 


° Local Frame Relay DLCI # (for frame relay)—The data-link 
connection identifier (DLCI) circuit number used for calls. 


N Remote System ID (for PPP, X.25, or ATM)—The name of the 
remote system server or remote peer associated with this circuit. 


N Circuit Parameter Type (for X.25 or ATM)—The type of virtual 
circuit used to establish a connection. 


N Remote DTE Address (for X.25)—The X.121 data terminal 
equipment (DTE) address assigned to the specific remote DTE. 


N Remote ATM Address (for ATM)—The address assigned to the 
specific remote Asynchronous Transfer Mode (ATM). 


Select Destination Interface Type and press Enter. 
Select Interface or Interface Group and press Enter. 
Select Destination Interface and press Enter. 


Select the BorderManager server's public interface or interface 
group and press Enter. 


If you selected a WAN interface in Step 18, select Destination Circuit 
and press Enter to define the following circuit information that 
applies to the interface: 


N Local Frame Relay DLCI # (for frame relay)—The DLCI circuit 
number used for calls. 


N Remote System ID (for PPP, X.25, or ATM)—The name of the 
remote system server or remote peer associated with this circuit. 


° Circuit Parameter Type (for X.25 or ATM)—The type of virtual 
circuit used to establish a connection. 
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N Remote DTE Address (for X.25)—The X.121 DTE address 


assigned to the specific remote DTE. 


N Remote ATM Address (for ATM)—The address assigned to the 
specific remote ATM. 


20. Select Packet Type and press Enter. 


The Defined TCP/IP Packet Types window is displayed. You can select 
any of the following predefined stateful packet forwarding filters: 





Name 


dns/tcp-st 
dns/udp-st 
ftp-pasv-st 
ftp-port-st 
ftp-port-pasv-st 
ping-st 

pop3-st 

smtp-st 
telnet-st 
www-http-st 


www-https-st 


Packet Type Transport 


DNS 


DNS 


FTP 


FTP 


FTP 


PING 


POP3 Mail 


SMTP 


Telnet 


HTTP 


HTTPS 


Type 
TCP 
UDP 
TCP 
TCP 
TCP 
ICMP 
TCP 
TCP 
TCP 
TCP 


TCP 


Destination Stateful 


Port 


53 


53 


21 


21 


21 


N/A 


110 


25 


23 


80 


443 


Filtering 
Enabled 
Enabled 
FTP_PASV 
PTP PORT 
Enabled 
Enabled 
Disabled 
Enabled 
Enabled 
Enabled 


Enabled 





21. For Src Addr Type, select Any Address, Host, or Network. 


You should select Any Address unless you want the exception to be valid 
only for a specific host or network on your private network. 


22. Ifyou selected Host or Network in Step 21, select Src IP Address and 
enter the host or network address. Otherwise skip to Step 23. 
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23. For Dest Addr Type, select Any Address, Host, or Network. 


You should select Any Address unless you want the exception to be valid 
only for packets addressed to a specific host or network outside the 
private network. 


24. If you selected Host or Network in Step 23, select Dest IP Address 
and enter the host or network address. Otherwise skip to Step 25. 


25. (Optional) For Logging, press Enter and change the status from 
Disabled to Enabled. 


26. (Optional) Enter a comment in the Comment field describing the 
purpose of the filter. Press Esc and select Yes to save the filter. Press 
Esc until you are prompted to exit FILTCFG. 


Important If you enabled logging for a filter exception in Step 25, you must also enable 


global logging for TCP/IP. Both global logging and logging for the specific filter 
exception must be enabled for logging to occur. 


Setting Up Inbound Packet Filter Exceptions 


If you elected to secure the Novell® BorderManager™ server's public interface 
and support Novell IP Gateway or SOCKS clients, you may be required to 
enable inbound packet filter exceptions to allow them to connect through the 
public interface. Novell IP Gateway clients connect through TCP port 8224 and 
port 8225, and SOCKS clients connect through TCP port 1080. 


To configure packet forwarding exceptions to forward inbound Novell IP 
Gateway and SOCKS traffic through the BorderManager server's public 


interface, complete the following steps: 


1. At the server console prompt, enter 


LOAD FILTCFG 
2. Select Configure TCP/IP Filters > Packet Forwarding Filters. 
3. Select Exceptions and press Enter to display the exceptions list. 


4. Press Ins to define a new inbound packet forwarding filter exception. 
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Configure the exception for Novell IP Gateway clients as follows: 


5a. 
5b. 
5c. 
5d. 


5e. 
5f. 
5g. 
5h. 
5i. 
5j. 
5k. 
51. 


5m. 


5n. 


50. 


5p. 


5q. 
5r. 


Select Source Interface Type and press Enter. 
Select Interface or Interface Group and press Enter. 
Select Source Interface and press Enter. 


Select the BorderManager server's public interface or 
interface group and press Enter. 


Select Packet Type and press Enter. 

Press Insert to define a new TCP/IP packet type. 

Select Name and enter a name for the packet type. 

Select Protocol and press Insert. 

Select TCP from the list of commonly used Internet protocols. 
Accept <All> for the Source Port(s). 

Select Destination Port(s) and enter 8224-8225. 


Select Comment and enter a description of the packet type, 
such as Novell IP Gateway Client or SOCKS client. 


Press Esc to add the packet type to the top of the packet list. 
Select the packet type you added. 


Select Dest Addr Type and change the setting from Any 
Address to Host. 


Select Dest IP Address and enter the IP address assigned to the 
BorderManager server's private interface. 


(Optional) Select Comment and enter a description of the filter. 


Press Esc to add the exception. 


Configure the exception for SOCKS clients. Repeat Step 5a through 
Step 5r, but in Step 5k, enter 1080 for the destination port. 


Press Esc until you are prompted to exit FILTCFG. 


Defining Custom Stateful Packet Types 


The Novell® BorderManager™ firewall has many static packet types defined 
in addition to the stateful packet types listed in Step 20 of “Setting Up 
Outbound Packet Filter Exceptions.” Static packet types are those without -st 
in their names. A static packet type is used to define a filter operating on traffic 
in one direction only. For example, instead of creating a stateful packet filter in 
one direction and relying on the system to enable the time-limited filter in the 
reverse direction, you can create two static packet filters, one for packets 
flowing in each direction. However, stateful packet filters provide more 
security than static packet filters. 


If the stateful packet types already defined by the BorderManager server do not 
include a packet type you want to filter, and you are hesitant to use static packet 
filters, you can create a custom stateful packet type. 


To define a custom stateful packet type, complete the following steps: 
1. From the Defined TCP/IP Packet Types window, press Insert. 
2. Enter the name of the new packet type in the Name field. 


3. For the Protocol field, press Insert and select IP, ICMP, IGMP, TCP, 
or UDP. 


4. Ifyou selected TCP or UDP, enter the source and destination port 
number or range of port numbers. 


5. Do not change the default setting of Disable for ACK Bit Filtering. 


Because ACK bit filtering automatically occurs when stateful packet 
filtering is enabled, you don't need to enable ACK bit filtering separately. 
The software will not allow you to enable both ACK bit filtering and 
stateful packet filtering for the same filter. 


6. Enable stateful filtering by selecting one of the following stateful 
filtering modes: 


N Enabled 
N Enabled for Active FTP only (PORT) 


N Enabled for Passive FTP only (PASV) 
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Note The last two stateful filtering modes apply only to FTP packet types (port 21). If 
you want stateful filtering for both Active FTP and Passive FTP, select Enabled. 


7. (Optional) Enter a comment to describe the packet type. 


The TCP/IP packet type definition will look similar to the following. 


Figure 2-3 
Define TCP/IP Packet Type Window 


Define TCP/IP Packet Type 


Name > istateful—email 
Protocol: TCP 
Source Ports): 1624-65535 

25 


Destination Ports): 

ACK Bit Filtering: Disabled 

Stateful Filtering: Enabled 

Comment: User-defined filter for e-mail <SMTP> service. 





8. Press Esc to add the packet to the Defined TCP/IP Packet Types list. 


After the packet type has been added to the list, you can set up a stateful 
packet filter using this packet type definition. 


Saving Filters to a Text File 


To document the filters and exceptions you enabled for your server, complete 
the following steps: 


1. At the server console prompt, enter 


LOAD FILTCFG 
2. Select Save Filters to a Text File. 
3. Enter the filename to which the filters will be saved. 


4. Pres Esc to exit FILTCFG. 
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Enabling Global IP Packet Logging 


Note 


Note 


The Global Logging flag allows you to turn logging on and off for all filters 
within a specific protocol, such as TCP/IP. If this flag is not enabled, no logging 
will occur, even if the log flag has been enabled for a specific filter or 
exception. Packet logging records the activity of the individual filters specified 
in the filter lists or the exception lists. 


Logging options can slow server performance. Consider disabling logging after 
you have tested your filters and exceptions. 


To enable global IP logging, complete the following steps: 
1. At the server console prompt, enter 


LOAD FILTCFG 


2. Select Filter Configuration Available Options > Configure TCP/IP 
Filters > Global IP Logging > Status. 


3. Select Enabled and press Enter. 
When Global IP Logging is enabled, logging activity will start. If you want to log 


the activity of a particular filter, you must enable both Global IP Logging and the 
packet logging option for that filter. 


4. Press Esc until you are prompted to exit FILTCFG. 


Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the packet filtering online documentation and include the 
following: 

N Setting up an HTTP filter 

N Setting up an FTP filter 


N Setting up a Telnet filter 
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° Setting up an SMTP filter 
° Setting up a POP3 filter 
N Modifying default IP packet logging parameters 


N Viewing IP packet log information 
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Setting Up NAT 


Novell® BorderManager™ Network Address Translation (NAT) allows IP 
clients on your local network to access the Internet without requiring you to 
assign globally unique IP addresses to each system. In addition, NAT acts as a 
filter, allowing only certain outbound connections and guaranteeing that 
inbound connections cannot be initiated from the public network. 


NAT configuration consists of selecting one of three modes: dynamic only, 
static only, or a combination of static and dynamic. 


Dynamic-only mode is used to allow clients on your private network to access 
a public network, such as the Internet. 


Static-only mode is used to allow clients on the public network to access 
selected resources on your private network, or to allow specified private hosts 
to access public hosts. Static-only mode requires the additional configuration 
of a network address translation table. 

The combination static and dynamic mode is used when functions of both the 
static mode and the dynamic mode are required. The combination static and 
dynamic mode also requires the configuration of a network address translation 
table for the static mode. 

This chapter contains the following sections: 

N “NAT Prerequisites” on page 40 

N “Settting Up NAT on a Single Interface” on page 41 

N “Setting Up NAT with Multihoming” on page 42 


N “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 44 
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Note This chapter describes the tasks required to set up an initial implementation of 
BorderManager NAT. For planning and conceptual information about NAT, refer 
to Novell BorderManager Enterprise Edition 3.5 Overview and Planning, 
available in the online documentation. Make sure you understand this 
information before setting up and configuring NAT. 


NAT Prerequisites 
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Before configuring NAT, verify that the following prerequisites have been met: 


N A registered IP address has been obtained for each public interface on the 
server. 


N TCP/IP has been enabled for and bound to two interface boards (the 
public and private interfaces). 


If your Novell® BorderManager™ installation was successful, this 
prerequisite has already been satisfied for at least one board. 


N For interfaces that have TCP/IP enabled, IP packet forwarding has been 
enabled or static routing has been enabled to use a static routing table. 


To enable IP packet forwarding from the server console, load INETCFG, 
select Protocols > TCP/IP, and change the status of IP Packet Forwarding 
from Disabled End Node to Enabled Router. 


To configure static routing from the server console, load INETCFG, 
select Protocols > TCP/IP, enable LAN Static Routing, and select LAN 
Static Routing Table to enter static routes. 


N An Internet Service Provider (ISP) connection has been configured with 
enough bandwidth for the number of users on your network. 


If the BorderManager server does not provide the connection to the ISP, 
ensure that the server has a static route configured or that the router to the 
ISP is in the routing path of the BorderManager server. 


Note It is assumed that all clients that will use the NAT-enabled interface as a default 
route to the Internet have already been configured with a TCP/IP stack and an 
IP address. The IP addresses can be registered or unregistered addresses. 
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Settting Up NAT on a Single Interface 


To enable and set up NAT ona LAN or WAN interface, complete the following 
steps: 


1. At the server console, enter 


LOAD INETCFG 
2. Select Protocols > Bindings. 


3. Select the appropriate interface with TCP/IP bound to it. 


NAT can be set up on the private interface or the public interface. The 
public interface is either a LAN or WAN interface that connects your 
router to the Internet or other public network. NAT is most commonly 
used on the public interface. 


4. Select Expert TCP/IP Bind Options. 
5. Select Network Address Translation. 
6. Set Status to Dynamic Only, Static and Dynamic, or Static Only. 


7. If you set Status to Static Only or Static and Dynamic, complete the 
following substeps to map private IP addresses to public IP 
addresses: 


7a. Select Network Address Translation Table. 


7b. Press Ins to open the Network Address Translation Entry 
window. 


7c. Inthe Public Address field, enter the public IP address to 
which a private address is mapped. 


7d. Inthe Private Address field, enter the IP address of the private 
host that you want public hosts to access using the public IP 
address specified in Step 7c. 


7e. Press Esc to add the entry to the NAT table. 


7f. For address translation of inbound requests, repeat Step 7b 
through Step 7e for each private host to be accessed by public 
hosts. 
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10. 


11. 


7g. (Optional) If you selected Static Only, for address translation 
of outbound requests, repeat Step 7b through Step 7e for each 
private host that you want to have access to the Internet 
through the NAT-enabled interface using a public address. 


The public addresses can be on the same network or subnetwork as the 
primary IP address, or they can be on a different network or subnetwork. 
If the public addresses are on the same network or subnetwork, use 
multihoming, as described in “Setting Up NAT with Multihoming” on 
page 42, to add secondary addresses to the NAT-enabled interface. 


Each private host address can be mapped to only one public host address. 
To access IP hosts using the public address within the private network, 
ensure that the static address pair specifies the same address for both the 
public and private addresses. 


If NAT is connected to the Internet using multi-access WAN links, you 
must add static routes on your external router so that packets that are 
destined to one of the public addresses can be routed to the NAT 
interface. 


If you set Status to Static Only or Static and Dynamic, configure a 
secondary address for each public address you configured in the 
network address translation table. 


Refer to “Setting Up NAT with Multihoming” on page 42 for instructions 
on how to configure a secondary address. 


Press Esc until you are prompted to update your changes, then select 
Yes. 


Press Esc until you are prompted to exit INETCFG, then select Yes. 


If you want the NAT configuration to take effect immediately, bring 
down and restart the server. 


Setting Up NAT with Multihoming 
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Multihoming enables a server to have multiple IP addresses. Multihoming can 
be achieved by adding a secondary IP address to an existing interface or by 
physically adding another interface to the server and binding another IP 
address to it. 
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A secondary IP address added to an existing interface must be on the same 
network as the IP address already bound to that interface. If there are multiple 
interfaces and the secondary IP address being added is not valid on any of the 
existing networks, the address is rejected and an error message appears on the 
server console. For example, if the IP addresses 130.57.0.1 and 10.0.0.1 are 
bound to two interfaces and you attempt to add 172.16.1.1 as a secondary IP 
address, it will be rejected because it does not belong to the same network as 
130.57.0.1 or 10.0.0.1. 


Multihoming is required for NAT when static mode is used. For an example of 
using multihoming with NAT, refer to the NAT online documentation. For 
information about how to set up NAT for a particular implementation with 
Proxy Services or the Virtual Private Network (VPN), refer to the Proxy 
Services online documentation or the VPN online documentation. 


When multihoming is used with a proxy server, a VPN, NAT, or any other TCP/ 
IP application, an administrator must configure secondary addresses from the 


server console. 


To configure secondary IP addresses for multihoming, complete the following 
steps: 


1. At the server console, enter 


LOAD INETCFG 

2. Select Protocols. 

3. If TCP/IP was not configured on the public interface during 
installation, enable TCP/IP under Protocols and bind one IP address 


to the public interface under Bindings. 


4. Press Esc until you are prompted to save your changes, then select 
Yes. 


5. Select Manage Configuration > Edit AUTOEXEC.NCF. 


6. Add a secondary IP address by entering the following command 
after the line that executes INITSYS.NCF: 


ADD SECONDARY IPADDRESS 2.1.7.1 


where n.n.n.n is your server's secondary IP address. 
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Important This command will not take effect until the system is restarted. For this 
command to take effect immediately, enter it at the server console also. 


7. 


To delete or display secondary IP addresses, press Alt+Esc until the 
server console prompt is displayed. 


You can delete secondary IP addresses by entering the following 
command: 


DELETE SECONDARY IP ADDRESS n.n.n.n 
where n.n.n.n is your server's secondary IP address. 


Ensure that when you delete secondary IP addresses, the corresponding 
commands are also removed from AUTOEXEC.NCF. 


You can display secondary IP addresses by entering the following 
command: 


DISPLAY SECONDARY IP ADDRESS 


Completing Advanced Setup, Configuration, and 
Management Tasks 
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In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the NAT online documentation and include the following: 


Installation and Setup 


Using NAT within a private network 


Managing NAT 
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Note 


Setting Up the Novell IP Gateway 


The Novell® IP Gateway enables Windows™ Internet Packet Exchange™ 
(IPX™) and IP clients on your local network to access the Internet without 
requiring you to assign globally unique IP addresses to each local system. The 
Novell IP Gateway also supports SOCKS clients. In addition, the Novell IP 
Gateway enables you to hide the IP addresses of your local network from the 
Internet and implement access control for local clients. 


This chapter explains the tasks you complete to set up the Novell IP Gateway 
of Novell BorderManager™. It contains the following sections: 


N “Novell IP Gateway Prerequisites” on page 45 
° “Setting Up the Novell IP Gateway” on page 50 
° “Setting Up Gateway Clients” on page 55 


° “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 61 


This chapter describes the tasks required to set up an initial implementation of 
the Novell IP Gateway. For planning and conceptual information about the 
Novell IP Gateway, refer to Novell BorderManager Enterprise Edition 3.5 
Overview and Planning, available in the online documentation. Make sure you 
understand this information before setting up and configuring the Novell IP 
Gateway. 


Novell IP Gateway Prerequisites 


Before you set up the Novell® IP Gateway, you must meet the following 
prerequisites: 


° “Server Prerequisites” on page 46 


° “Client Prerequisites” on page 48 
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Server Prerequisites 
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Before setting up the Novell IP Gateway, verify that the following prerequisites 
have been met for the gateway server: 


Installation and Setup 


A registered IP address has been obtained for each public interface. 


TCP/IP has been enabled for one or more interface boards (accomplished 
by successful Novell BorderManager™ installation). 


For interfaces that have TCP/IP enabled, IP packet forwarding or static 
routing has been enabled to use a static routing table. 


To enable IP packet forwarding from the server console, load INETCFG, 
select Protocols > TCP/IP, and change the status of IP Packet Forwarding 
from Disabled End Node to Enabled Router. 


To set up static routing from the server console, load INETCFG, select 
Protocols > TCP/IP, enable LAN Static Routing, and select LAN Static 
Routing Table to enter static routes. 


(For IPX™/IP gateway service only) The IPX protocol has been set up 
and bound to at least one interface. 


To set up IPX from the server console, load INETCFG and select 
Protocols > IPX. To bind IPX to an interface on the server, load 
INETCFG and select Bindings. 


An Internet Service Provider (ISP) connection has been set up with 
enough bandwidth for the number of users on your network. 


If the BorderManager server does not provide the connection to the ISP, 
ensure that the server has a static route set up or that the router to the ISP 
is in the BorderManager server's routing path. 


Novell Public Key Infrastructure (PKI) Services and Secure 
Authentication Service (SAS) have been installed on the server to 
support Secure Sockets Layer (SSL) authentication of SOCKS 5 clients. 


PKI and SAS are installed automatically during BorderManager 
installation if the services have not been previously installed. 


After SAS and PKI are installed, you must use the PKI snap-in to 
NetWare® Administrator to perform following SSL-related 
administrative task: 


N Importing certificates signed by an external Certificate Authority 
(CA) 


N Creating and managing Key Material objects (KMOs) used to store 
key pairs in NDS™ 


N Creating an NDS tree CA to sign certificates used on a private 
network 


More information about Novell PKI Services and certificate authorities 
is located in the NetWare 5™ online documentation at the following 
path: Contents > Novell Public Key Infrastructure Services (under the 
Network Services and Security Services headings). 


Refer to the Novell PKI online help in NetWare Administrator for the 
procedures to create and manage NDS tree CAs and KMOs. 


N Domain Name System (DNS) Resolver setup has been performed to 
provide a valid domain name for the DNS and an IP address of at least 
one DNS name server to resolve IP hostnames. This should have been 
done by you during the BorderManager product installation. If the DNS 
Resolver has not been set up, refer to “Setting Up the DNS Resolver” on 
page 47. 


N Packet filtering has been set up to allow DNS query and response 
packets. 


Default installation sets packet filtering to block all incoming and 
outgoing traffic. To modify the packet filtering setup, refer to Chapter 2, 
“Setting Up Packet Filters,” on page 25. 


Setting Up the DNS Resolver 
To set up the DNS Resolver, complete the following steps at the server console: 


1. Enter LOAD NIASCFG, then select Configure NIAS > Protocols 
and Routing > Protocols > TCP/IP > DNS Resolver Configuration. 
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Client Prerequisites 


Enter the DNS domain name for your corporation or organization. 


Your ISP typically supplies this name. Domain names usually take the 
form company_name.com or organization.org. For example, novell.com 
or acme.org. 


Enter the IP addresses of up to three DNS name servers in the Name 
Server fields. 


ISPs often provide access to multiple DNS name servers. 
Press Esc to select Yes to update the TCP/IP configuration. 


Pres Esc until you return to the Internetworking Configuration 
menu, then select Reinitialize System and exit NIASCFG. 


Client prerequisites are provided in the following sections: 


“Novell IP Gateway Administration Prerequisites” on page 48 
“IPX/IP Gateway Client Prerequisites” on page 49 
“TP/IP Gateway Client Prerequisites” on page 49 


“SOCKS Client Prerequisites” on page 49 


Novell IP Gateway Administration Prerequisites 
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The client used by an administrator to set up Novell IP Gateway services must 
have the following installed: 


Installation and Setup 


Windows 95*, Windows 98*, or Windows NT* 4.0 or later 
The Novell Client™ for Windows* software 
The BorderManager snap-in modules to NetWare Administrator 


If the Novell IP Gateway's SOCKS service will be set up to use SSL, a 
Novell PKI Services snap-in module to NetWare Administrator 


Note The BorderManager and PKI snap-in modules can be installed on the server 
instead of the client. This is preferable if an administrator uses multiple client 
machines but has a login script to consistently map a drive to the directory from 
which NetWare Administrator is run (the same directory where the snap-in 
modules are installed). 


IPX/IP Gateway Client Prerequisites 


A client accessing the Internet using the IPX/IP gateway service must have the 
following installed: 


N Windows 3.1, Windows 95, Windows 98, or Windows NT 4.0 or later 

N The Novell Client for Windows software 

° The Novell IP Gateway component of the Novell Client software 
IP/IP Gateway Client Prerequisites 


A client accessing the Internet using the IP/IP gateway service must have the 
following installed: 


N Windows 3.1, Windows 95, Windows 98, or Windows NT 4.0 or later 


N The Novell TCP/IP stack (for Windows 3.1 clients) or the Microsoft* 
TCP/IP stack (for all other Windows clients) 


N The Novell Client for Windows software 


The Novell IP Gateway component of the Novell Client software 
SOCKS Client Prerequisites 


A SOCKS client accessing the Internet using the Novell IP Gateway SOCKS 
service does not need special configuration. However, to enable the Novell IP 
Gateway to verify or authenticate SOCKS users, the following is required: 


N An administrator must create a User object in NDS for each SOCKS user. 


A SOCKS user who also uses Novell Client software already has a User 
object. However, SOCKS users whose client machines are UNIX*, 
Macintosh*, or OS/2*, most likely require a new User object. 
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N The usernames and passwords created in NDS should match the 
usernames and passwords SOCKS 5 clients already use to avoid 
confusion. This prerequisite does not apply to SOCKS 4 users because 
they do not have to use passwords for authentication. 
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Note 


The Novell® IP Gateway is comprised of two circuit-level gateways: 


° The IPX/IP gateway, which provides Windows IPX™ clients with 
secure, controlled access to the Internet. 


° The IP/IP gateway, which provides Windows-based IP clients with 
secure, controlled access to the Internet. 


When the Novell IP Gateway is set up to act as a SOCKS server, it can also be 
used to authenticate SOCKS clients and determine their access to network 
resources using access control rules stored in the NDS™ database. 


The IPX/IP gateway, IP/IP gateway, and SOCKS services can be enabled to run 
simultaneously on the same server. This permits Windows clients, as well as 
SOCKS clients, to access the Internet through the same Novell 
BorderManager™ server. 


All three gateway services are set up using NetWare® Administrator. For 
detailed instructions, refer to the following procedures: 


° “Setting Up the IPX/IP or IP/IP Gateway Service” on page 50 


° “Setting Up the SOCKS 4 or SOCKS 5 Service” on page 52 
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You can set up the IPX/IP gateway service to support the use of TCP/IP 
applications by Windows clients that do not have an assigned IP address. You 
can set up the IP/IP gateway service to support NDS access control for 
networks whose clients use TCP/IP. 


To set up the IPX/IP or IP/IP gateway service, complete the following steps: 


1. In NetWare Administrator, select the BorderManager Setup page 
for the server. 


Installation and Setup 


Click the Gateway tab. 


Under Enable Service, check the IPX/IP Gateway or IP/IP Gateway 
check box. 


(Optional) If you want to assign a different port number for gateway 
traffic, complete the following substeps to change the gateway 
service port: 


4a. Under Enable Service, double-click the gateway whose service 
port is to be changed, or highlight the gateway and click 
Details. 


4b. Under Service Attributes, enter a different port number in the 
Service Port field. 


By default, both gateways use port 8225 (decimal). Although 
changing the service port is not recommended, if another service is 
using this port, you can assign a different port number for gateway 
traffic. 


(Optional) If you want to enable single sign-on authentication for the 
IPX/IP gateway service, check the Single Sign On Authentication 
check box under Service Attributes. 


Single sign-on authentication enables the IPX/IP gateway to perform a 
background user authentication if the user has already logged in to NDS. 
With single sign-on, users are not required to provide a username and 
password to access resources through the gateway. If single sign-on is not 
enabled, the Novell IP Gateway software performs a secondary 
authentication when a user attempts to access resources using the IPX/IP 
gateway service, regardless of whether the user has already logged in. 


Note Single sign-on applies to the IPX/IP gateway service only. Single sign-on is 
ignored when the IP/IP gateway service is used. 


6. 


Click OK twice to close the Configure Gateway Services window and 
the BorderManager Setup page. 


When you close the BorderManager Setup page, the server loads 
IPXIPGW.NLM, the gateway NetWare Loadable Module™ (NLM™) 
file, and creates a Gateway Server object in the NDS tree. 


Refer to Chapter 7, “Setting Up Access Control,” on page 115 for information 
about setting up and using access control with the Novell IP Gateway. 
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Important 


Access control rules set up for the Server object using IPX/IP gateway software 
released before BorderManager will no longer operate after you upgrade your 
server to BorderManager and enable the Novell IP Gateway. To take effect, 
these rules must be set up again for the Server object. 


Setting Up the SOCKS 4 or SOCKS 5 Service 
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Important 


If you have SOCKS 4 or SOCKS 5 clients on your network and want to control 
their access to the Internet through the Novell IP Gateway, you must set up the 
SOCKS service. 


As part of the configuration procedure, you must either specify SOCKS 5 
authentication parameters or enable SOCKS 4 user verification, or do both, if 
your network has a combination of SOCKS 4 and SOCKS 5 clients. 


To set up the SOCKS service on the Novell IP Gateway, complete the following 
steps: 


1. In NetWare Administrator, select the BorderManager Setup page 
for the server. 


2. Select the Gateway tab. 
3. Under Enable Service, check the SOCKS V4 and V5 check box. 


4. (Optional) If you want to assign a different port number for SOCKS 
traffic, complete the following substeps to change the gateway 
service port: 


4a. Under Enable Service, double-click SOCKS V4 and V5, or 
highlight SOCKS V4 and V5 and click Details. 


4b. In the Service Port field, enter a different port number. 


By default, the SOCKS service uses port 1080 (decimal). Although 
changing the service port number is not recommended, if another 
service is using this port, you can assign a different port number for 
SOCKS traffic. 


If you change the service port number, you must modify the setup of all SOCKS 
clients to use the new port number. 


4c. Click OK to close the Configure SOCKS V4 and V5 window. 
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Important 


Important 


5. If your network does not have SOCKS 5 clients, skip to Step 6. 
Otherwise, set SOCKS 5 authentication parameters by completing 
the following substeps: 


5a. Under Enable Service, double-click SOCKS V4 and V5, or 
highlight SOCKS V4 and V5 and click Details. 


5b. Under SOCKS V5 Authentication, select any or all of the 
following authentication schemes (listed in order of lowest to 
highest priority): 


An additional method of authentication is available for SOCKS 5 client users. 
SOCKS 5 client users can use security devices such as hardware tokens in 
addition to using their NDS password. Login policies defining the authentication 
rules and access methods required for remote users to authenticate are stored 
in the NDS Login Policy object. See the Authentication Services online 
documentation for more information. 


If multiple authentication schemes are selected, the Novell IP Gateway uses the 
highest priority scheme that the client is capable of performing. 


e None—This option is equivalent to the null authentication 
option for SOCKS 5 clients. No authentication is required by 
the Novell IP Gateway. 


e Clear Text User/Password—When the Novell IP Gateway 
authenticates a user, the user's password is transmitted across 
the wire in clear text without any encryption. The password is 
checked against the user's password stored in NDS, but this is 
not the same as NDS authentication. Because a password that 
is transmitted in clear text is insecure, this option should be 
used only if SSL is also selected to encrypt the password 
before it is transmitted. 


e NDS User/Password—When the Novell IP Gateway 
authenticates a user, the user's password is never transmitted 
across the wire. Instead, similar to the authentication of a 
Novell client, the password is used to generate a secure key 
pair. Successive challenge handshakes between the client and 
the server complete the authentication. An NDS authentication 
option must be available in the SOCKS client for this 
authentication scheme to work. 
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e SSL—This option requires that an SSL connection between 
the client and the server must be established before the Novell 
IP Gateway can authenticate a user with any of the other 
authentication schemes. SSL uses a public key/private key 
encryption system. Enabling this option also ensures the 
encryption of all data transmitted between the client and the 
server. 


Important If SSL and access control are both enabled for the Novell IP Gateway, you must 
also select NDS User/Password or Clear Text User/Password because the SSL 
protocol does not perform user authentication for NDS access control. 


5c. 


5d. 


(Optional) If you selected Clear Text User/Password as an 
authentication scheme, click Authentication Context > Context 
> Add, enter the user’s default NDS context and tree, then click 
OK. 


Enter a fully distinguished NDS container name (sales.my.org, for 
example). The NDS container name can have up to 256 characters. 
This entry is optional and makes logging in easier for users. Users 
in the specified container can log in by typing only their login 
names without the complete context string. 


(Optional) If you selected SSL as an authentication scheme, use 
the Key ID pull-down menu to select from a list of available 
files. 


Note A key ID file is available only after you create a KMO in NDS for the server using 
NetWare Administrator. For more information about how to create a KMO, refer 
to the PKI online help in NetWare Administrator or the PKI information located 
in the NetWare 5™ online documentation at the following path: 


Contents > Novell Public Key Infrastructure Services (under the Network 
Services Documentation and Security Services headings) > Setting Up > 
Create a KMO. 


5e. 
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(Optional) Enable single sign-on for SOCKS 5 clients by 
checking the Single Sign On check box under SOCKS V5 
Authentication. 


This option is provided for clients that use both the Novell Client™ 
for Windows and a third-party SOCKS 5 client on the same 
workstation. If a user has already authenticated to NDS by logging 
in from a Novell client and attempts to use a SOCKS 5 client to 
access the Internet through the Novell IP Gateway, the gateway 
does not authenticate the user again. 


For single sign-on to occur, the client machine must be running 
CLNTRUST.EXE and DWNTRUST.EXE. For more information 
about these files, refer to “Setting Up Clients to Use Single Sign- 
On Enabled on the Gateway Server” on page 59. 


Note If single sign-on is enabled but the user has not logged in to NDS or is limited to 
the use of aSOCKS 5 client, the gateway will authenticate the user with one of 
the authentication schemes selected in Step 5b. If single sign-on fails and no 
authentication scheme has been selected, the user's connection is dropped. 


5f. Click OK to close the Configure SOCKS V4 and V5 window. 


6. If your network does not have SOCKS 4 clients, skip to Step 7. 
Otherwise, enable SOCKS 4 user verification by completing the 
following substeps: 


6a. Under Enable Service, double-click SOCKS V4 and V5, or 
highlight SOCKS V4 and V5 and click Details. 


6b. Check the check box for SOCKS V4 User Verification. 


SOCKS 4 user verification requires the Novell IP Gateway to 
verify that the user exists in NDS, but the gateway does not 
authenticate the user. The user does not need to provide a password 
to gain access to the Internet through the gateway. 


6c. Click OK to close the Configure SOCKS V4 and V5 window. 
7. Click OK to close the BorderManager Setup page. 


Refer to Chapter 7, “Setting Up Access Control,” on page 115 for information 
about setting up and using access control with the Novell IP Gateway. 


Note NDS-based access rules for SOCKS clients can restrict access sites only and 
not to specific URLs. For content filtering, use Cyber Patrol* installed on the 
BorderManager server. 


Setting Up Gateway Clients 


The Novell® IP Gateway client software must be set up on each Windows 
workstation that accesses the Internet through the gateway server. This task is 
typically the responsibility of the network administrator or the person 
responsible for desktop administration and support. In some cases, users set up 
their own gateway client software. 
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Important 


All gateway clients must have the gateway component of the Novell Client™ 
software installed and set up. The gateway component is installed by selecting 
a custom client installation and selecting Novell IP Gateway from the list of 
additional components to install. 


All clients using the IP/IP gateway must have a TCP/IP stack installed and set 
up. Microsoft's TCP/IP stack is highly recommended because it is included 
with all Windows software except Windows 3.1. Windows 3.1 clients must use 
the Novell TCP/IP stack. All clients and gateway components are shipped as 
part of Novell BorderManager™. The gateway component for Windows NT 
and Windows 3.1 clients is also included on the NetWare 5™ Clients 
CD-ROM. 


If a gateway client uses Windows 95 or Windows 98 client software installed 
from the Clients CD-ROM for a NetWare 5 product release, you must replace it 
with an installation of the Windows 95 or Windows 98 client software provided 
with Novell BorderManager, or use the automatic client upgrade (ACU) feature 
of NetWare 5. More information about this feature is located in the NetWare 5 
online documentation at the following path: 


Contents > Novell Client for Windows 95 (under the Client Documentation 
heading) > Setting Up > ACU Install. 


Refer to the following procedures for setting up Novell IP Gateway clients: 


N “Setting Up Windows NT, Windows 95, or Windows 98 Clients” on 
page 57 


N “Setting Up Windows 3.1 Clients” on page 58 
N “Setting Up SOCKS Clients” on page 58 


N “Setting Up Clients to Use Single Sign-On Enabled on the Gateway 
Server” on page 59 





N “Setting Up Clients to Use the Gateway Client Transparent Proxy” on 
page 60 
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Setting Up Windows NT, Windows 95, or Windows 98 Clients 


To enable the gateway client software on Windows NT, Windows 95, or 
Windows 98 clients and set up a preferred gateway server, complete the 
following steps: 


1. Right-click Network Neighborhood, then select Properties. 


2. Do the following: 


° To set up a Windows 95 or Windows 98 client, select the 
Configuration tab and click Novell IP Gateway. 


N To set up a Windows NT client, select the Protocols tab and click 
Novell IP Gateway in the Network Protocols list. 


If you do not see Novell IP Gateway in the list, you probably do not have 
the gateway client component installed on your workstation. Do not 
continue with this procedure until you have installed the Novell Client 
software provided with the Novell BorderManager product. For more 
information, refer to “Installing the Novell Client Software” on page 13. 


3. Click Properties, then check the Enable Gateway check box. 


4. In the Preferred Server field, enter the preferred gateway server. 


The correct syntax for the gateway server is the server name with -GW 
appended to it. You must also include the server's context with a leading 
period. For example, if the Novell IP Gateway is enabled on the server 
SJ-NW5 whose context is docs.novell, specify the preferred gateway 
server as .SJ-NW5-GW.docs.novell. 


5. In the Preferred Tree field, enter the NDS™ tree where the server is 
located, then click OK. 


6. Restart the workstation. 
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Setting Up Windows 3.1 Clients 


To enable the gateway client software on Windows 3.1 clients and set up a 
preferred gateway server, complete the following steps: 


1. 


From the client, run the Novell IP Gateway Switcher program, 
GWSW16.EXE. 


The Switcher program is located in the NOVELL\CLIENT32 directory. 


Select one of the following options: 
N Enable Gateway for IPX-to-IP 
N Enable Gateway for IP-to-IP 


N Disable Gateway 


If your selection in Step 2 has a Preferred Gateway Server field, 
enter the preferred gateway server, then click OK. 


The correct syntax for the gateway server is the server name with -GW 
appended to it. You must also include the server's context with a leading 
period. For example, if the Novell IP Gateway is enabled on the server 
SJ-NW5 whose context is docs.novell, specify the preferred gateway 
server as .SJ-NW5-GW.docs.novell. 


Restart the workstation. 
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A workstation running the Novell Client software and a SOCKS application is 
considered a SOCKS client. 


To enable a SOCKS client to use the Novell IP Gateway SOCKS service, the 
IP address or hostname of the BorderManager server is typically set up in the 
SOCKS application to identify the BorderManager server as the SOCKS 
server. 


SOCKS applications might also require the following to be set up: 


Installation and Setup 


Destinations 


Redirection rules 


° DNS hostname resolution 
V Authentication schemes 


For more specific information, refer to the documentation provided with your 
SOCKS applications. 


Setting Up Clients to Use Single Sign-On Enabled on the Gateway Server 


Note 


When single sign-on is enabled, the Novell IP Gateway software can perform 
background NDS authentication for Windows 95, Windows 98, and Windows 
NT 4.0 clients, and SOCKS 5 clients that have the NDS authentication 
capability. With single sign-on enabled on the server, a user who is already 
logged in is not presented with a login dialog box to use the Novell IP 
Gateway's IPX/IP gateway or SOCKS services. 


With this BorderManager release, Windows 3.1 clients cannot be authenticated 
using single sign-on authentication. 


Before single sign-on can occur, the client workstations must be running 

CLNTRUST.EXE and DWNTRUST.EXE. CLNTRUST.EXE enables the 
client to be authenticated in the background, and DWNTRUST.EXE stays 
resident on the client to terminate CLNTRUST.EXE after a user logs out. 


These files are located in the SYS:PUBLIC directory on the server. The 
gateway component of the Novell Client does not run these files automatically, 
nor does the SOCKS 5 client software. Although these files can be copied to 
client machines and run by batch files before users log in to NDS, it is more 
effective to create a login script for each user you want to be authenticated 
using the single sign-on feature. By implementing a login script, when a user 
logs in to NDS from any workstation, that workstation automatically runs 
DWNTRUST.EXE and CLNTRUST.EXE. 


To create a login script, complete the following steps: 


1. In NetWare® Administrator, right-click the container object where 
you want to create a login script and select Details. 


2. Select Login Script. 
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In the login script field, enter the following lines that apply to the 
operating systems on users' workstations, where Server_Name is the 
name of your server: 


If OS= WINNT THEN 

# Server Names YS\PUBLIC\DWNTRUST.EXE 
# Server Names YS\PUBLIC\CLNTRUST.EXE 
END 

IF OS = "WIN95"' THEN 

# Server_Name\SYS\PUBLIC\DWNTRUST.EXE 
# Server_Name\SYS\PUBLIC\CLNTRUST.EXE 
END 

IF OS = "WIN98"' THEN 

# Server_Name\SYS\PUBLIC\DWNTRUST.EXE 
# Server_Name\SYS\PUBLIC\CLNTRUST.EXE 
END 


Click OK to close the Login Script page, the Details page, and exit 
NetWare Administrator. 
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Because the Gateway Client Transparent proxy feature is enabled by default, 
no configuration is required. When a user logs in to NDS, the gateway 
component of the Novell Client software locates all the proxy servers that the 
user has permission to access. If the user starts a browser session, the Novell IP 
Gateway client connects to the first proxy server it finds during its search of the 
NDS database and does not make a connection through the Novell IP Gateway. 
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Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the Novell IP Gateway online documentation and include the 
following: 

N Setting up logging for all gateway services 

N Decoding gateway packet traces 

N Checking gateway real-time activity 

N Checking the access control log 

N Viewing user statistics 

N Viewing host statistics 


N Exporting data 


N Checking the information log 
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Setting Up Proxy Services 


Proxy Services uses caching to accelerate Internet performance and optimize 


WAN bandwidth use. Proxy Services also allows protocol filtering and 


improves security by hiding private network domain names and addresses, and 
sending all requests through a single gateway. 


You can use the service as an application proxy for such services as HTTP, 

Gopher, FTP, Simple Mail Transfer Protocol (SMTP), Domain Name System 
(DNS), RealAudio*, and Real Time Streaming Protocol (RTSP). You can also 
use the service as a protocol filter to prevent certain kinds of user connections 
or as a gateway to hide the names and addresses of internal systems so that the 
gateway is the only hostname known outside the system. 


This chapter explains the tasks you complete to set up Novell® 
BorderManager™ Proxy Services. It contains the following sections: 


“Proxy Services Prerequisites” on page 64 

“Setting Up an HTTP Proxy Server” on page 67 
“Setting Up an HTTP Accelerator Server” on page 69 
“Setting Up an FTP Proxy Server” on page 70 
“Setting Up an FTP Accelerator Server” on page 72 
“Setting Up a Mail Proxy Server” on page 73 
“Setting Up a News Proxy Server” on page 74 
“Setting Up a Generic Proxy Server” on page 75 


“Setting Up DNS Proxy” on page 76 





“Setting Up RealAudio and RTSP Proxies” on page 77 
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“Setting Up the SOCKS Client (Upstream)” on page 77 
“Setting Up HTTP Transparent Proxy” on page 80 


“Setting Up Telnet Transparent Proxy” on page 80 





“Setting Up Proxy Authentication” on page 81 


“Completing Advanced Setup, Configuration, and Management Tasks” 
on page 85 


Note This chapter describes the tasks required to set up an initial implementation of 
the Proxy Services. For planning and conceptual information about Proxy 
Services, refer to Novell BorderManager Enterprise Edition 3.5 Overview and 
Planning, available in the online documentation. Make sure you understand this 
information before setting up and configuring Proxy Services. 
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Before you set up Proxy Services, ensure that you have the following 
information at hand: 


IP addresses of your server's IP interfaces, and which are considered 
private or public access 


Port number (8080 by default) and the hostname or IP address of the 
Novell® BorderManager™ proxy server 


To prepare the proxy server for Internet access, verify that the following 
prerequisites have been met: 


Installation and Setup 


DNS Resolver setup has been performed to provide a valid domain name 
for the DNS and an IP address of at least one DNS name server to resolve 
IP hostnames. This should have been done by you during the 
BorderManager product installation. If the DNS Resolver has not been 
set up, refer to “Setting Up the DNS Resolver” on page 47. 


Packet filtering has been set up to allow DNS query and response 
packets. 


Default installation sets packet filtering to block all incoming and 
outgoing traffic. To modify the packet filtering setup, refer to Chapter 2, 
“Setting Up Packet Filters,” on page 25. 


Corporate users who will use Proxy Services to access Internet Web sites 
have set up their Web browsers to use the BorderManager proxy server, 
as described in the following sections: 


° “Setting Up Microsoft Internet Explorer to Use a Web Proxy” on 
page 66 


° “Setting Up Netscape Navigator to Use a Web Proxy” on page 67 


You can also use the BorderManager HTTP Transparent proxy feature to 
set up background, automatic proxy services. With HTTP Transparent 
proxy, users are not required to configure their browsers to use a proxy; 
it is done invisibly for them. For more information about using HTTP 
Transparent proxy, refer to “Setting Up HTTP Transparent Proxy” on 
page 80. 


The Novell IP Gateway client software has been set up on each 
Windows* client that will need to access Internet services and 
destinations through the Novell IP Gateway. For more information, refer 
to Chapter 4, “Setting Up the Novell IP Gateway,” on page 45. 


Novell Public Key Infrastructure (PKI) Services and Secure 
Authentication Service (SAS) have been installed on the server to 
support Secure Sockets Layer (SSL) authentication of SOCKS 5 clients. 


PKI and SAS are installed automatically during BorderManager 
installation if the services have not been previously installed. 


After SAS and PKI are installed, you must use the PKI snap-in to 
NetWare® Administrator to perform following SSL-related 
administrative task: 


N Importing certificates signed by an external Certificate Authority 
(CA) 


N Creating and managing Key Material objects (KMOs) used to store 
key pairs in NDS™ 


N Creating an NDS tree CA to sign certificates used on a private 
network 


More information about Novell PKI Services and certificate authorities 
is located in the NetWare 5™ online documentation at the following 
path: Contents > Novell Public Key Infrastructure Services (under the 
Network Services and Security Services headings). 
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Refer to the Novell PKI online help in NetWare Administrator for the 
procedures to create and manage NDS tree CAs and KMOs. 


Setting Up the DNS Resolver 


To set up the DNS Resolver, complete the following steps at the server console: 


1. 


Enter LOAD NIASCKG, then select Configure NIAS > Protocols 
and Routing > Protocols > TCP/IP > DNS Resolver Configuration. 


Enter the DNS domain name for your corporation or organization. 


Your Internet Service Provider (ISP) typically supplies this name. 
Domain names usually take the form company_name.com or 
organization.org, for example, novell.com or acme.org. 


Enter the IP addresses of up to three DNS name servers in the Name 
Server fields. 


ISPs often provide access to multiple DNS name servers. 
Press Esc to select Yes to update the TCP/IP configuration. 


Press Esc until you return to the Internetworking Configuration 
menu, then select Reinitialize System and exit NIASCFG. 


Setting Up Microsoft Internet Explorer to Use a Web Proxy 


To specify the BorderManager proxy server on a Microsoft* Internet Explorer 
Web browser, complete the following steps: 


1. 
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Launch Internet Explorer, then select one of the following menu 
paths, based on the software version. 


N For Internet Explorer 3.02, select Edit > Options > Connections > 
Proxy Settings 


° For Internet Explorer 4.01, select View > Internet Options > 
Connection > Access the Internet using a proxy server 


Enter the port number (8080 by default) and hostname—or IP 
address—of the BorderManager proxy server in the proxy field. 


Click Apply. 


Another option for Windows 95* users is to open the Control Panel and double- 
click Internet. Click the Connection tab, then enter the proxy address. 


Setting Up Netscape Navigator to Use a Web Proxy 


To specify the BorderManager proxy server on a Netscape Navigator* 3.x Web 
browser, complete the following steps: 


1. Launch Netscape Navigator, then select Options > Network 
Preferences > Proxies > Manual Proxy Configuration. 


2. Click View. 


3. Enter the hostname—or IP address—and port number (8080) of the 
BorderManager proxy server in the proxy field. 


4. Click OK. 


To specify the BorderManager proxy server on a Netscape Navigator 4.x Web 
browser, complete the following steps: 


1. Launch Netscape Navigator, then select Edit > Preferences > 
Advanced > Proxies > Manual Proxy Configuration > View. 


2. Enter the URL of the BorderManager proxy server in the URL field. 


3. Click OK. 


Setting Up an HTTP Proxy Server 


HTTP proxy resolves URL requests on behalf of Web clients on your network. 
This is also known as forward proxy. These requests are cached, if possible, on 
the proxy server to increase the speed of delivering the same content the next 
time the same information is requested. 


Note The proxy server can also be set up as an HTTP accelerator (reverse proxy) to 
accelerate Web server requests from Internet users for your Web servers on 
your intranet. You can set up a server to be an HTTP proxy server, an HTTP 
accelerator server, or both. 
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To set up an HTTP proxy server, complete the following steps: 


1. 


In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


From the Application Proxy tab, check the HTTP Proxy check box. 
Click Details or double-click the HTTP Proxy service. 


Click the HTTP tab, then enter the number of the HTTP listening 
port. 


This is the port on which the proxy server listens for incoming URL 
requests from browser clients. The default is 8080. 


Note The HTTP proxy listens on interfaces identified as Private or Both, but not on 
interfaces identified as Public. 


5. 
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Specify whether to do the following: 
N Ignore refresh requests from the browser. 


If you select this option, the proxy will not access the Web server 
to refetch a URL when a user specifies to reload or refresh from the 
browser. All user requests will be filled from the cache. 


V Filter cookies. 


If you select this option, the cookie header is not forwarded to the 
origin server, and pages with the Set-Cookie header are not cached. 
Enable this option to increase security. 


N Enable persistent connections to browsers. 


If you select this option, the connection between a browser and a 
proxy server remains active even if there is no data flow. 


N Enable persistent connections to origin servers. 


If you select this option, the connection between the origin server 
and the proxy remains active even if there is no data flow. 


° Enable or disable Java* applet stripping from HTML files. 


When enabled, Java applets are stripped from the HTML file 
before the file is displayed in the browser window. 


6. Click OK, then click OK again from the BorderManager Setup page. 


To set up authentication for an HTTP proxy server, refer to “Setting Up HTTP 
Proxy Authentication” on page 82. 


Setting Up an HTTP Accelerator Server 


Note 


Note 


HTTP acceleration is also known as reverse proxy. In this case, the server acts 
as the front end to your Web servers on your Internet or intranet. Heavily 
loaded servers benefit from off-loading frequent requests to the proxy server. 
Security is also increased when the IP addresses of your Web servers are hidden 
from the Internet. 


You need at least one private and one public address to use the proxy server. 
You can, however, use a single address as both a public address and a private 
address. The HTTP accelerator listens on interfaces identified as Public or Both, 
but not on interfaces identified as Private. The best security involves two 
interfaces. 


You can set up a server to be an HTTP accelerator server, an HTTP proxy 
server, or both. 


To set up an HTTP accelerator server, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Acceleration tab, check the HTTP Acceleration check box. 
3. Click Details or double-click the HTTP Acceleration service. 


4. Click Add to add a new acceleration server to the HTTP Accelerator 
list, then do the following: 


4a. Specify whether to enable this HTTP accelerator server after 
you have set it up. 


The default is Disabled. Specify to disable the server if you are 
setting up for multiple accelerations. You can disable one or more 
servers without affecting the other accelerated sites. 


4b. Specify whether to enable authentication for this accelerator. 
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4c. Enter the accelerator server name. 


If reverse proxy authentication is enabled in Step 4a, the 
accelerator server name must be the DNS domain name of the Web 
site that is being accelerated. The DNS domain name entry should 
be the same for both inbound and outbound configurations. 


4d. Enter the port number the origin Web server is listening on for 
incoming connections. 


The default is 80 for HTTP. 
4e. Click Add and enter a Web server name or IP address. 


4f. Click Add and select one or more public proxy IP addresses. 


These are the addresses the accelerator will listen on for incoming 
connections from the Internet. 


Note You can associate one or several public IP addresses with a particular domain 
name, but the combination of the IP address and the port must be unique. 


For example, you have a Web server www1.myco.com and two proxy IP 
addresses (1.2.3.4 and 1.2.3.5), and the Web server is listening on port 80. You 
can configure an accelerator entry for www1.myco.com with port 80 and two 
proxy IP addresses (1.2.3.4 and 1.2.3.5). 


As another example, you have multiple Web servers and several proxy IP 
addresses. You can configure two entries: one for www1.myco.com with port 80 
and IP address 1.2.3.4, and another for www2.myco.com with port 80 and IP 
address 1.2.3.5. 


4g. Specify whether to accelerate on a different port, and enter an 
accelerator port number. 


All internal Web server links must be relative URLs. 
5. Click OK, then click OK again from the BorderManager Setup page. 


To set up authentication for an HTTP accelerator server, refer to “Setting Up 
HTTP Proxy Authentication” on page 82. 


Setting Up an FTP Proxy Server 


You can use an FIP proxy server to control access to FTP sites. This enforces 
centralized control over Internet or intranet access. You can also use an FTP 
proxy server to cache data for anonymous users to enable faster downloads. 
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Note 


The proxy server can also be set up as an FTP accelerator to accelerate FTP 
requests from Internet or intranet users to your FTP servers. You can set up a 
server to be an FTP proxy server, an FTP accelerator server, or both. If the 
server is set up for both, you must have separate public and private addresses. 


To set up an FTP proxy server, complete the following steps: 


1. 


In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


From the Application Proxy tab, check the FTP Proxy check box. 
Click Details or double-click the FTP Proxy service. 


Enter a username/password separator. 


The username/password separator is used to separate the NDS™ 
username, FTP username, and FTP hostname in the USER command; and 
the NDS user password and FTP password in the PASS command. The 
user enters these commands when connecting to the FTP proxy. The 
default is the dollar sign ($). 


For example, enter the following at the user and pass prompts: 


user>john_smith.novell$anonymous$ftp.novell.com 
pass> xxxxx$yyyyy 


where john_smith.novell is the NDS username, anonymous is the FTP 
username, ftp.novell.com is the FTP host, xxxxx is the NDS password for 
john_smith, and yyyyy is the FTP password for anonymous users at 
ftp.novell.com. 


Enter an anonymous FTP e-mail address or keep the default. 


This is the e-mail address used as the password for the anonymous FTP 
login by the FTP client of the proxy server. The default is 
NovellProxyCache@. 


Select a method of user authentication: none, clear text username/ 
password, or single sign-on. 


N None—The user will not be required to enter the FIP proxy 
username and password when accessing the FTP server, and will 
need to supply only the FIP hostname and password. 
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N Clear text username/password—The user must enter a fully 
distinguished NDS username, FTP username, and FTP hostname at 
the user prompt; and an NDS password and FIP password at the 
pass prompt. 


N Single sign-on—TIf a user is logged in to NetWare through the latest 
Novell Client™, the user is not prompted to authenticate to the 


proxy. 
7. Click OK, then click OK again from the BorderManager Setup page. 


To set up the server as an FTP accelerator as well, refer to “Setting Up an FTP 
Accelerator Server” on page 72. 
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Note 


FTP acceleration is also called FTP reverse proxy. The server acts as the front 
end to your FTP servers on your Internet or intranet. Frequent requests can be 
off-loaded from heavily loaded origin FTP servers to the proxy server. Security 
is increased when the IP addresses of your FTP servers are hidden from the 
Internet or intranet. 


You can set up a server to be an FTP accelerator server, an FTP proxy server, 
or both. If the server is set up for both, you must have separate public and private 
addresses. 


To set up an FTP accelerator server, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Acceleration tab, check the FTP Acceleration check box. 
3. Click Details or double-click an FTP Acceleration service. 


4. Click Add, then do the following: 


4a. Specify whether to enable the FTP accelerator server after you 
have set it up. 


4b. Enter the hostname of the origin FTP server. 
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4c. Select one or more public proxy IP addresses from the list. 


These are the addresses the accelerator will listen on for incoming 
connections from the Internet. 


Note You can associate one or several public IP addresses with a particular domain 
name, but the combination of the IP address and the port must be unique. 


For example, you have an FTP server ftp://fto1.myco.com and two IP addresses 
(1.2.3.4 and 1.2.3.5), and the FTP server is listening on port 21. You can 
configure an accelerator entry for fto1.myco.com with port 21 and two IP 
addresses (1.2.3.4 and 1.2.3.5). 


As another example, you have multiple FTP servers and several IP addresses. 
You can configure two entries: one for ftp1.myco.com with port 21 and IP 
address 1.2.3.4, and another for ftp2.myco.com with port 21 and IP address 
1.2.3.5. 


5. Click OK, then click OK again from the BorderManager Setup page. 


Setting Up a Mail Proxy Server 


A Mail proxy server provides secure SMTP mail services for incoming and 
outgoing mail. It can also be used to hide internal domain names and mail hosts 
for scanning incoming mail. You can use the Mail proxy between the existing 
intranet mail server and the Internet, or directly between the intranet and the 
Internet without an intranet mail server. 


To set up a Mail proxy server, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Application Proxy tab, check the Mail Proxy check box. 
3. Click Details or double-click the Mail Proxy service. 


4. Enter values for the following Mail proxy parameters: 


N Spool Directory—The directory in which the mail files are 
temporarily stored. 


This must be an absolute path on the server, including the volume 
name, for example, SYS:\ETC\PROX Y\SPOOL. 
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Spool Directory Max Size—The maximum size (in MB) of the 
mail spool directory. 


Max Mail Size—The maximum size (in MB) of a mail item. 


Failed Mail Retry Interval—The maximum number of minutes 
before the next attempt by the Mail proxy to forward undeliverable 
mail. 


Failed Mail Retry Count—The maximum number of times the 
Mail proxy attempts to forward undeliverable mail. 


Primary Mail Domain Name—(Optional) The domain name that is 
used to substitute the From address in an e-mail message. This 
name replaces the internal domain name in outbound mail headers 
and hides the internal network architecture. If this parameter is 
unspecified, the local DNS domain name is used as the primary 
mail domain name. If the local DNS domain name is not 
configured as well, the From address remains as is. 


Internal Mail Server Name—The Mail eXchange (DNS MX 
record) name or internal mail domain name of the mail server on 
the internal network. 


POP3 Mail Server Name—The name or IP address of the server 
running the Post Office Protocol 3 (POP3) software. 


Click OK, then click OK again from the BorderManager Setup page. 
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A News proxy server accesses Usenet news on the Internet and provides secure 
Network News Transfer Protocol (NNTP) news services for transferring news 
articles in both directions between the intranet and the Internet. A News proxy 
server can also selectively filter out unwanted news groups. However, a News 
proxy server cannot cache news articles. 


To set up a News proxy server, complete the following steps: 


1. 
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In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


From the Application Proxy tab, check the News Proxy check box. 


Click Details or double-click the News Proxy service. 


(Optional) Enter the primary news domain name. 


This is the domain name that is used to substitute the From address in 
posted news articles. This name replaces the internal originating 
hostnames in outbound news article header lines and hides the internal 
network architecture. If this parameter is unspecified, the News proxy 
uses the DNS domain name in the From address. 


(Optional) Enter the server name or IP address of the private 
(internal) news servers to which the incoming news articles are 
forwarded. 


If you do not specify this information, the proxy server will not accept 
the connections from the public news servers to forward or retrieve 
articles from the private news servers. 


Click Add and specify the DNS hostnames or IP addresses of the 
public (external) news servers from which news articles are 
retrieved. 


You must specify at least one server for the News proxy to work if a 
private news server is set up. The proxy connects to the first public news 
server on the list, and all queries from the private news server and readers 
are forwarded to that server. If the connection to the first server on the list 
fails, the News proxy will use the next server on the list, and so on. 


Click OK, then click OK again from the BorderManager Setup page. 


Setting Up a Generic Proxy Server 


Use a Generic proxy server to access multiple protocols if the application proxy 
you need (for example, Telnet and rlogin) is not already defined in 
BorderManager. Generic proxy tunnels data without caching it. 


To set up a Generic TCP or UDP proxy server, complete the following steps: 


1. 


In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


From the Application Proxy tab, check the Generic TCP Proxy or 
the Generic UDP Proxy check box. 


Click Details, or double-click the Generic TCP Proxy service or the 
Generic UDP Proxy service. 
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Note The following steps are the same for setting up a Generic TCP or UDP proxy 


server. 


4. Click Add to add a server to the Forward List, then complete the 
following substeps: 


4a. 


4b. 


4c. 


4d. 


4e. 


Specify whether to enable the Generic proxy server after you 
have set it up. 


Enter the hostname of the origin server. 


Enter the port number the origin server is listening on for 
incoming connections. 


The default is O for Generic proxy. 


Select one or more public proxy IP addresses of the proxy 
server. 


These are the addresses you want the proxy to listen on for 
incoming connections from the Internet. 


Enter the port number for the proxy server. 


The default is 0. 


Note You can associate one or several public IP addresses with a particular domain 
name, but the combination of the IP address and the port must be unique. 


4f. 


Click OK. 


5. Click OK, then click OK again from the BorderManager Setup page. 
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DNS proxy acts as a DNS name server for clients on the intranet. The DNS 
proxy caches DNS records. 


Note The intranet client must have the private IP address of the DNS proxy configured 
as the address of the DNS name server. For servers, you can set up the IP 
addresses of the DNS name servers and the domain name in the 
SYSAETC\RESOLV.CFG file. 


To enable DNS proxy, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 
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2. From the Application Proxy tab, check the DNS proxy check box. 
3. Click Details, or double-click the DNS proxy service. 


4. Click OK, then click OK again from the BorderManager Setup page. 


Setting Up RealAudio and RTSP Proxies 


RealAudio and RTSP proxies access a RealAudio server on the Internet and 
enable an intranet user to download and play back audio and video information 
in real time. 


To enable RealAudio and RTSP proxies, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Application Proxy tab, check the RealAudio and RTSP 
Proxies check box. 


3. Click Details, or double-click the RealAudio and RTSP Proxies 
service. 


4. Click OK, then click OK again from the BorderManager Setup page. 


Setting Up the SOCKS Client (Upstream) 


This feature enables a proxy to authenticate through a SOCKS 4 or SOCKS 5 
firewall. SOCKS is a circuit-gateway type of protocol. With SOCKS, hosts 
behind a firewall can gain full access to the Internet without full IP reachability. 
When SOCKS support is enabled, all requests sent to the Internet are forwarded 
to a SOCKS 5 server and the proxy is used for caching only. 


When the proxy receives a request, it checks its cache. If the requested object 
is not in the cache, the proxy makes a TCP connection to the SOCKS server 
and redirects the request from the intranet to the SOCKS server, allowing for 
more secure Internet access. The SOCKS server then connects to the origin 
server and retrieves the object. Null and username/password authentication are 
supported. 
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Setting up HTTP or FTP proxy support through SOCKS has three steps: 
° Setting up the Proxy Services software to act as a SOCKS client 

° Setting up the Novell® IP Gateway to act as a SOCKS server 

° Setting up the browser 


The SOCKS client can also be used with a third-party SOCKS server instead 
of the Novell IP Gateway. 


To set up the proxy server and the Novell IP Gateway to support SOCKS 
through HTTP proxy or FIP proxy, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Application proxy tab, select HTTP or FTP proxy. 
3. Click SOCKS Client, then check the Enable SOCKS check box. 
4. Specify the IP address of the SOCKS server. 


5. Enter the port number of the SOCKS server. 
The default is 1080. 

6. Click Username/Password and enter a username and password that 
the proxy will use to authenticate with the SOCKS server. 


If you select No Authentication and do not specify a username and 
password, null authentication will be used. The username and password 
must match the username and password configured for the SOCKS 
server in Step 8 or at the third-party SOCKS server. If you configure null 
authentication, make sure that the SOCKS server is set up to allow null 
authentication. 


7. Click OK to close the SOCKS Client page. 


8. If you are not using a third-party SOCKS server, do the following: 


Note The following steps apply only if the upstream SOCKS server is running Novell 
BorderManager™. 


8a. Click the Gateway tab. 
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Note 


8b. 
8c. 


8d. 


Check the SOCKS V4 and V5 check box, then click Details. 


(Optional) Enter the port number of the SOCKS server. 


The default is 1080. This enables the Novell IP Gateway to act as 
a SOCKS server. Assign a different port number for SOCKS traffic 
if another service is already using this port. 


Select SOCKS V5 or SOCKS V4. 


Select V5 if the server must work with the BorderManager SOCKS 
client. If you select V5, select single sign-on and specify an 
authentication scheme. If you select SSL as an authentication 
scheme, select a key ID. 


Use the NetWare Administrator PKI Services to change and create key IDs in 
an NDS tree. For more information, refer to the PKI online help in NetWare 
Administrator or the PKI information located in the following path: Contents > 
Novell Public Key Infrastructure Services (under the Network Services 
Documentation and Security Services headings). 


10. 


8e. 


8f. 


8g. 


8h. 


Select an authentication method. 
Click OK. 


Select the Users setup page and enter the username and 
password of the SOCKS client. 


The username and password must match the username and 
password you configured for the SOCKS client in Step 6. 


Click OK. 


Click OK from the BorderManager Setup page. 


To use a browser from a workstation, open the configuration window 
for the browser. In the field provided to specify the location of the 
HTTP proxy, enter the IP address or DNS hostname of the server 
running BorderManager. 


This allows requests from the browser to be sent to the SOCKS client 
operating with BorderManager Proxy Services, then forwarded to the 
SOCKS server if the requested information is not found in the proxy 
cache. 
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Setting Up HTTP Transparent Proxy 


HTTP Transparent proxy enables you to use an HTTP proxy server without 
having to reconfigure each user's browser. Use HTTP Transparent proxy to 
require users to send requests through the proxy server. 


When you use HTTP Transparent proxy, the clients must use the proxy's 
private IP address as the TCP/IP gateway address. IP forwarding must be 
enabled on the server. 


To set up HTTP Transparent proxy, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Transparent Proxy tab, check the Transparent HTTP 
Proxy check box. 


3. Click Details or double-click the Transparent Proxy service. 


4. Click Add and enter a port for monitoring. 


For example, specify 80 for HTTP traffic. 


5. In the Exception IP Address List, click Add and enter a local IP 
address. 


6. Click OK, then click OK again from the BorderManager Setup page. 


Note When HTTP Transparent proxy is enabled, it is also automatically enabled for 
the Novell® IP Gateway, if applicable. 


To set up authentication for HTTP Transparent proxy, refer to “Setting Up 
HTTP Transparent Proxy Authentication” on page 83. 


Setting Up Telnet Transparent Proxy 


Telnet Transparent proxy enables you to use a Telnet proxy server without 
having to manually connect to a proxy server. 


When you use Telnet Transparent proxy, the clients must either use the proxy's 


private IP address as the TCP/IP gateway address or the proxy server must be 
in the routing path. IP forwarding must be enabled on the server. 
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Note 


To set up Telnet Transparent proxy, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. From the Transparent Proxy tab, check the Transparent Telnet 
Proxy check box. 


3. Click Details or double-click the Transparent Telnet service. 


4. Click Add and enter a port for monitoring. 


For example, specify 23 for Telnet traffic. 


5. In the Exception IP Address List, click Add and enter a local IP 
address. 
6. Click OK, then click OK again from the BorderManager Setup page. 


When Telnet Transparent proxy is enabled, it is also automatically enabled for 
the Novell® IP Gateway, if applicable. 


To set up authentication for Telnet Transparent proxy, refer to “Setting Up 
Telnet Transparent Proxy Authentication” on page 84. 


Setting Up Proxy Authentication 


Important 


An additional method of authentication is available for proxy server users. Proxy 
server users can use security devices such as hardware tokens in addition to 
using their NDS™ password. Login policies defining the authentication rules 
and access methods required for remote users to authenticate are stored in the 
NDS Login Policy object. See the Authentication Services online documentation 
for more information. 


The following sections provide information about setting up proxy 
authentication: 


° “Setting Up HTTP Proxy Authentication” on page 82 
° “Setting Up HTTP Transparent Proxy Authentication” on page 83 


° “Setting Up Telnet Transparent Proxy Authentication” on page 84 
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Setting Up HTTP Proxy Authentication 


Proxy authentication for HTTP proxy and HTTP accelerator (reverse and 
forward HTTP proxy) can be accomplished in the following ways: 


° Single sign-on for Novell® Client 32™ clients—If a user is logged in to 
NetWare® through the latest Novell Client™ software and uses the 
browser, the user is not prompted to authenticate again to the proxy. 


N SSL proxy authentication—The user is not prompted to authenticate to 
the proxy if already logged in to NDS. 


You can enable HTTP proxy NDS authentication and require all users to 
authenticate with their browsers before they access the proxy server and the 
Internet. Proxy authentication consists of a username and a password. The 
proxy authentication password is the same as a user's NDS authentication 
password. Any type of browser client can be authenticated: Windows 3.1*, 
Windows 95, Windows NT*, UNIX*, OS/2*, or Macintosh*. 


If proxy authentication is enabled and both single sign-on and SSL are enabled, 
the proxy server will first try to authenticate the user through single sign-on. If 
the single sign-on attempt fails or is not enabled, the proxy server will attempt 
authentication using SSL. If HTTP accelerator (reverse proxy) single sign-on 
attempts fail, SSL authentication is used. 


Single sign-on is successful only when the client machine is running the Novell 
Client 32 software and has logged in to NDS. The client machine must also be 
running DWNTRUST.EXE and CLNTRUST.EXE. These files are located in 
the SYS:PUBLIC directory on the server. For more information about these 
files and creating login scripts for users to be authenticated using the single 
sign-on feature, refer to Chapter 4, “Setting Up the Novell IP Gateway,” on 
page 45. 


To set up HTTP proxy authentication, complete the following steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


2. Click Authentication Context. 


3. From the Authentication tab, check the Enable HTTP Proxy 
Authentication check box. 


4. Select an authentication scheme: single sign-on or SSL. 


82 Installation and Setup 


5. For single sign-on, enter the time to wait for a single sign-on reply. 


6. For SSL, specify the following parameters: 


N SSL Listening Port—Specify the port used for authentication. You 
might need to change the port number to prevent reverse proxy 
traffic from running into SSL traffic. Both reverse proxy and SSL 
traffic default to port 443. 


N Key ID—Specify the key ID exchanged between the client and 
server for authentication. 


Note Use the NetWare Administrator PKI Services to change and create key IDs in 
an NDS tree. For more information, refer to the PKI online help in NetWare 
Administrator or the PKI information located in the following path: Contents > 
Novell Public Key Infrastructure Services (under the Network Services 
Documentation and Security Services headings). 


° Notification method—Specify whether to send authentication 
notification in HTML form or as a Java applet. 


N Idle time—Specify the length of time a connection can remain idle 
before a new login is required. 


7. Specify whether to authenticate only when the user attempts to 
access a restricted page. 


8. Click the Context tab. 


9. Click Add and enter the user's default NDS context and tree name. 


Enter a fully distinguished NDS container name (sales.my_org, for 
example). The NDS container name can have up to 256 characters. This 
entry is optional and makes logging in easier for users. Users in the 
specified container can log in by typing only their login names without 
the complete context string. 


10. Click OK, then click OK again from the BorderManager Setup page. 


Setting Up HTTP Transparent Proxy Authentication 


To set up HTTP Transparent proxy authentication, complete the following 
steps: 


1. In NetWare® Administrator, select the BorderManager Setup page 
for the server. 
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Click Authentication Context. 


From the Authentication tab, check the Enable HTTP Proxy 
Authentication check box. 


Click the Context tab. 


Click Add and enter the user's default NDS context and tree name. 


Enter a fully distinguished NDS container name (sales.my_org, for 
example). The NDS container name can have up to 256 characters. This 
entry is optional and makes logging in easier for users. Users in the 
specified container can log in by typing only their login names without 
the complete context string. 


Click OK, then click OK again from the BorderManager Setup page. 


Setting Up Telnet Transparent Proxy Authentication 


To enable Telnet Transparent proxy authentication, complete the following 


steps: 


1. 
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In NetWare® Administrator, select the BorderManager Setup page 
for the server. 


Click Authentication Context. 


From the Authentication tab, check the Enable Transparent Telnet 
Proxy Authentication check box. 


Click the Context tab. 


Click Add and enter the user's default NDS context and tree name. 


Enter a fully distinguished NDS container name (sales.my_org, for 
example). The NDS container name can have up to 256 characters. This 
entry is optional and makes logging in easier for users. Users in the 
specified container can log in by typing only their login names without 
the complete context string. 


Click OK, then click OK again from the BorderManager Setup page. 


Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the Proxy Services online documentation and include the 
following: 

N Configuring cache parameters 

N Specifying batch downloading 

N Configuring caching hierarchies 

° Specifying transport timeout parameters 

° Specifying DNS parameters 

° Setting up HTTP proxy services logging 

N Monitoring proxy cache real-time activity 

N Viewing host statistics 

N Displaying records 

N Viewing host record entries 

N Viewing user statistics 

N Viewing user log entries 


N Viewing usage trends 


N Exporting data 
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Setting Up Virtual Private Networks 


A Virtual Private Network (VPN) is used to transfer sensitive information 
across the Internet in a secure fashion by encapsulating and encrypting the data. 
A VPN can also be deployed in intranets where data security is required 
between departments. 


This chapter explains the tasks you complete to set up the VPN component of 
the Novell® BorderManager™ software. This chapter also describes the 
preparatory steps required for some tasks. 

This chapter contains the following sections: 

N “Virtual Private Network Prerequisites” on page 87 

° “Setting Up Your VPN” on page 93 


° “Upgrading VPN from a Previous Version” on page 108 


° “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 113 


Note This chapter describes the tasks required to setup an initial implementation of 
VPN. For planning and conceptual information about VPN, refer to Novell 
BorderManager Enterprise Edition 3.5 Overview and Planning, available in the 
online documentation. Make sure you understand this information before setting 
up and configuring your VPN. 


Virtual Private Network Prerequisites 


Before you start to set up the VPN component of the Novell® 
BorderManager™ software, you must meet the prerequisites described in this 
chapter. This section contains the following topics: 


° “Site-to-Site VPN Prerequisites” on page 88 


° “Client-to-Site VPN Prerequisites” on page 91 
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Site-to-Site VPN Prerequisites 
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Before you set up a site-to-site VPN, your network must meet the following 
requirements: 


Installation and Setup 


The NetWare® routing software must be installed and configured on each 
VPN server. Configuring the routing software includes, but is not limited 
to, setting up the LAN or WAN links to the other VPN members, and 
configuring static or dynamic routing for Internet Packet Exchange™ 
(IPX™) and IP packets. Verify connectivity between your VPN servers 
as required by your selected VPN topology. Any associated firewall 
software should be configured and connectivity should be verified before 
the VPN software is installed and before each VPN server is attached to 
the private networks it will protect. Information about configuring the 
routing software is located in the NetWare 5™ online documentation at 
the following path: 


Contents > Connectivity Services (under the Network Services heading) 
> Routing Configuration 


If your VPN sites are not on the same intranet, each VPN server must 
have a connection to the Internet, either directly or indirectly. If your 
VPN server is connected directly to the Internet, obtain the public IP 
address provided by your Internet Service Provider (ISP) to use when 
connecting to the Internet. Each VPN server uses the public IP address to 
exchange encrypted information with other VPN servers. Obtain the 
public IP address before you set up the VPN. The ISP connection should 
also be tested before the VPN software is installed and before the VPN 
server is attached to any private networks. In the case of an intranet VPN, 
an ISP connection is not required. 


If your VPN server is connected directly to the Internet, you must obtain 
a permanent IP address for the ISP connection. The IP address cannot be 
dynamically assigned by the ISP. 


The VPN server must have only one connection to the Internet. 
Otherwise, you risk sending and receiving your confidential data 
unencrypted if your data is routed to the other connection. 


If you are configuring a VPN server for the first time in an NDS™ tree, 
you must be able to log in to the server's NDS tree with administrative 
rights in order to extend the Server object schema. 


If the VPN server is also the firewall machine that protects your private 
network from the Internet, select the Setup BorderManager for Secure 
Access to the Public Interface option during the initial BorderManager 
installation and configuration. Otherwise, load BDRCFG to configure 
the required filters. 


If your VPN server is behind a firewall, be sure to configure the firewall 
with the proper packet forwarding filters, as determined by your security 
policy. If the firewall is also running the BorderManager software, select 
the Setup BorderManager for Secure Access to the Public Interface 
option during the initial BorderManager installation and configuration to 
automatically configure firewall filters. These firewall filters must then 
be altered as determined by your security policy. In general, the filters 
must be altered to allow VPN members to communicate with each other 
and allow encrypted packets to pass through. The filters listed in Table 
6-1 can be used as a guideline for how the firewall filters should be 
altered for VPN. The filters might also have to be altered to allow 
communication with other BorderManager services. 


The firewall filters can also be configured after installation by loading 
BDRCEG. If the firewall is not running the BorderManager software, 
you must configure these filters manually as described in the 
documentation provided with the third-party firewall product. 
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Table 6-1 VPN Filters 





Description of Protocol Source Source Destination Destination 
Filter Address Port Address Port 
Exception filters TCP (ID=6) Any 213 VPN public Any 

for the VPN address 


master server to 
allow incoming 


traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) Any 2010 VPN public 2010 
address 
Exception filters TCP (ID=6) VPN public Any Any 213 
for the VPN address 
master server to 
allow outgoing 
traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) VPN public 2010 Any 2010 
address 
Exception filters TCP (ID=6) Any Any VPN public 213 
for the VPN address 
slave server to 
allow incoming 
traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) Any 2010 VPN public 2010 
address 
Exception filters TCP (ID=6) VPN public 213 Any Any 
for the VPN address 
slave server to 
allow outgoing 
traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) VPN public 2010 Any 2010 
address 
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N If you have set up two VPN servers on the same network, or the hop 
count between the two VPN servers is one, you must use FILTCFG to 
prevent all private network routes from being advertised through the 
public interfaces. Complete this process for both IPX and IP as described 
in the packet filtering online documentation. 


N If your network uses Open Shortest Path First (OSPF) dynamic routing, 
your VPN server must be located on a pure OSPF backbone area. 


Client-to-Site VPN Prerequisites 


Before you install the VPN client software, verify that the following 
prerequisites have been met: 


V The workstation must be running Windows 95*, Windows 98*, or 
Windows NT* Workstation 4.0. 


N If the VPN client will be using a dial-up connection, Microsoft* Dial-Up 
Networking must be installed before installing the VPN client software. 


N If you are using Windows 95 older than OSR2, Microsoft Dial-Up 
Networking version 1.1 or later must be installed before installing the 
VPN client software. 


N If you are using the VPN client with the Novell Client™ software, Novell 
Client version 2.2 or later must be installed. 


N If you are using the VPN LAN client, you must have an Ethernet adapter. 


N If you are using Windows NT, you must use an Intel*-based workstation. 
The VPN client does not support Alpha workstations. 


N If you are using Windows NT, the Windows NT Service Pack 3 (SP3) or 
later version must be installed before installing the VPN client software. 
Note that the SP3 must be reinstalled whenever you install a feature from 
the Windows NT CD-ROM, such as Networking or Remote Access 
Services, that was not already on the system when you installed SP3. 


N If you are using Windows NT, you must log in to Windows NT as a user 
with administrative rights in order to install the VPN client. 
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Installation and Setup 


The VPN server must have only one connection to the Internet. 
Otherwise, you risk sending and receiving your confidential data 
unencrypted if your data is routed to the other connection. 


If your VPN server is behind a firewall, be sure to configure the firewall 
with the proper packet forwarding filters, as determined by your security 
policy. If the firewall is also running the BorderManager software, select 
the Setup BorderManager for Secure Access to the Public Interface 
option during the initial installation and configuration to automatically 
configure firewall filters. These firewall filters must then be altered as 
determined by your security policy. In general, the filters must be altered 
to allow VPN clients to communicate with the server and allow 
encrypted packets to pass through. The filters listed in Table 6-1 can be 
used as a guideline for how the firewall filters should be altered. The 
filters might also have to be altered to allow communication with other 
BorderManager services. 


The firewall filters can also be configured after installation by loading 
BDRCEFG. If the firewall is not running the BorderManager software, 
you must configure these filters manually as described in the 
documentation provided with the third-party firewall product. 


Table 6-2 


Filters Required for Client-to-Site VPNs 





Description of Protocol Source Source Destination Destination 
Filter Address Port Address Port 
Exception filters TCP (ID=6) Any Any VPN public 353 
for the VPN address 
master or slave 
server to allow 
incoming traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) Any 353 Any 353 
Exception filters TCP (ID=6) VPN public 353 Any Any 
for the VPN address 
master or slave 
server to allow 
outgoing traffic 
SKIP (ID=57) Any Any Any Any 
UDP (ID=17) Any 353 Any 353 





Setting Up Your VPN 


Note 


To set up any type of VPN, you must set up a master server. After you set up 
the master server, you will complete additional setup tasks based upon whether 
you want to set up a site-to-site VPN or a client-to-site VPN. This section 
contains the following procedures: 


° “Setting Up the Master Server” on page 94 
° “Setting Up Site-to-Site VPNs” on page 95 


° “Setting Up Client-to-Site VPNs” on page 100 


You use the VPNCFG utility to set up the master server, set up the slave server, 
and generate the encryption information. 
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Setting Up the Master Server 


94 


A VPN can have only one master server. The master server is the central 
control point for the configuration and management of the VPN. In addition, a 
server (master or slave) can be a member of only one VPN. 


To set up the master server for your VPN, complete the following steps: 


1. 


At the server console prompt, enter 
LOAD VPNCFG 


If this server is the first in the NDS™ tree to be set up as a VPN server, 
you are prompted to log in to the tree. You must have administrative 
rights to the root directory to extend the NDS schema and define the VPN 
attributes. 


Select Master Server Configuration. 


Configure the IP addresses for the master server. 


The VPN master server uses two IP addresses: a public address to 
communicate with the Internet, and a VPN tunnel address to exchange 
encrypted information with other VPN members. 


3a. Select Configure IP Addresses. 


3b. Enter the public IP address. 


If the VPN server is connected directly to the Internet, the public 
IP address is the address that was assigned by your ISP. 


3c. Enter the subnet mask for the public IP address. 
3d. Enter the VPN tunnel IP address. 


This address is associated with the VPN tunnel through which 
encrypted information passes. This address should be unregistered. 


Important The VPN tunnel IP address for all VPN servers must be on the same subnet. 
The VPN tunnel IP address is an arbitrarily chosen private address. The scope 
of this address is limited to the VPN tunnel link. This address should not be used 
as the source or destination IP address for data packets. Use PING on this 
address to verify the direct connectivity through the VPN tunnel. 
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3e. Enter the subnet mask for the VPN tunnel IP address. 


3f. Press Esc and select Yes when prompted to save your changes. 


4. Generate the master server encryption information. 
4a. Select Generate Encryption Information. 


4b. Enter up to 255 characters for the random seed. 


There is no need to record this value. The software uses this value 
to help randomize the master server Rivest Shamir Adleman 
(RSA) public and private keys, and the master server Diffie- 
Hellman public and private values that it generates. 


5. Copy the master encryption information file (MINFO.VPN) to 
diskette or save it to a local hard disk. 


5a. Select Copy Encryption Information. 


5b. Enter the path in which you want to save the master encryption 
information file. 


6. Give the MINFO.VPN file to the network administrator of each 
slave server you want to add to the VPN. 


You can either send the diskette containing the file by surface mail or 
send the file as an e-mail attachment. There is no danger of 
compromising security if the file is intercepted because it contains only 
public information. Any alteration of the file can be detected by verifying 
the message digest during the configuration of the slave server. 


7. Press Esc until you exit VPNCFG. 


Setting Up Site-to-Site VPNs 


This section explains the basic tasks you perform to set up a site-to-site VPN. 
This section contains the following procedures: 


° “Setting Up a Slave Server” on page 96 
° “Adding a Server to a VPN” on page 98 
° “Synchronizing VPN Servers” on page 99 


° “Setting Up Specific Site-to-Site VPN Configurations” on page 100 
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Setting Up a Slave Server 


To set up a slave server for your VPN, complete the following steps. Make sure 
you have the MINFO.VPN file from the master server administrator. 


1. At the server console prompt, enter 


LOAD VPNCFG 
2. Select Slave Server Configuration. 


3. Configure the IP addresses for the slave server. 


Like the master server, a VPN slave server uses two IP addresses: a 
public address to communicate with the Internet, and a VPN tunnel 
address to exchange encrypted information with other VPN members. 


3a. Select Configure IP Addresses. 


3b. Enter the public IP address. 


If the VPN server is connected directly to the Internet, the public 
IP address is the address that was assigned by your ISP. 


3c. Enter the subnet mask for the public IP address. 


3d. Enter the VPN tunnel IP address. 


This address is associated with the VPN tunnel through which 
encrypted information passes. This address should be unregistered. 


Important The VPN tunnel IP address for all VPN servers must be on the same subnet. 


3e. Enter the subnet mask for the VPN tunnel IP address. 


3f. Press Esc and select Yes when prompted to save your changes. 


4. Generate the slave server encryption information. 
4a. Select Generate Encryption Information. 


4b. Enter the location of the master encryption information file 
(MINFO.VPN). 


4c. Contact the master server administrator and verify that you 
have the same message digest values. 


Having the same digest values ensures the authenticity of the 
MINFO.VPN file. 
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Important If the message digest values do not match, the encrypted tunnel between the 
slave and master servers cannot be created. In this case, the master server 
administrator must provide a new MINFO.VPN file. 


4d. Ask the master server administrator to select Authenticate 
Encryption Information to authenticate the MINFO.VPN file. 


To authenticate this file, the administrator must load VPNCFG and 
select the following menu path: 


Master Server Configuration > Authenticate Encryption 
Information 


4e. If the message digest values match, enter up to 255 characters 
for the random seed. 


There is no need to record this value. The software uses this value 
to help randomize the Diffie-Hellman public and private values 
that it generates for the slave server. 


5. Copy the slave encryption information file (SINFO.VPN) to diskette 
or save it to a local hard disk. 


5a. Select Copy Encryption Information. 


5b. Enter the path or name of the file in which you want to save the 
slave encryption information file. The default is 
A:\SINFO.VPN. 


Hint Rename your SINFO.VPN file to a name such as SINFO_S1.VPN. This enables 
the master server administrator to collect all slave encryption information files in 
a single directory without overwriting them. You can also use a server or location 
name when renaming the SINFO.VPN file. 


6. Give your slave encryption information file to the master server 
administrator. 


You can either send the diskette containing the file by surface mail or 
send the file as an e-mail attachment. There is no danger of 
compromising security if the file is intercepted because it cannot be 
interpreted without the master server's RSA public and private keys and 
Diffie-Hellman public and private values. 


7. Press Esc until you exit VPNCFG. 


Important Before the slave server can communicate with other members of the VPN, you 
must perform the procedure described in “Adding a Server to a VPN” on 
page 98. 
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Adding a Server to a VPN 


98 


Before you can add a server to a VPN, you must use the VPNCFG utility to do 
the following; 


N Set up the master server 
° Set up the slave server 
° Generate encryption information files for the master and slave servers 


After you complete the VPNCFG procedures, the master server is 
automatically added to the VPN. You use the NetWare® Administrator utility 
to add a server to a VPN and synchronize VPN servers. 


To add a slave server to the VPN, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 
3. Double-click Master Site-to-Site under Enable Service. 
4. Click Add. 


5. Locate the encryption information file for the server you want to 
add, then click Open. 


The encryption information file is generated during the procedure 
described in “Setting Up a Slave Server” on page 96. The default name 
for the file is SINFO.VPN. NetWare Administrator reads the file and 
displays a 16-byte message digest. 


6. Contact the administrator of the VPN slave server and ask him to 
select Authenticate Encryption Information to authenticate the 
SINFO.VPN file. 


To authenticate this file, the administrator must load VPNCFG and select 
the following menu path: 


Slave Server Configuration > Authenticate Encryption Information 


Compare the value of your message digest with the one generated at the 
slave server console. 
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7. If the digests are equal, click Yes; otherwise, click No. 


Unequal digest values indicate that the data has been tampered with or 
corrupted. 


8. Click Status. 
9. Click Synchronize All, then click OK. 


Complete this procedure for each slave server that you want to add as a member 
of the VPN. 


Synchronizing VPN Servers 


When you synchronize servers on a VPN, the VPN master server updates all 
VPN slave servers with the current VPN topology and encryption keys. A 
server's synchronization status can assume one of the following states: 


N Up-to-Date 


The server has been configured with the latest topology and encryption 
information. This does not indicate that the server's VPN tunnel 
connections are up. Use the Activity display to determine the status of the 
VPN tunnel connections. 


N Being Configured 


The server still must receive the current topology and encryption 
information from the master server. 


N Being Removed 


The server is being removed from the VPN. 


Note Any server state that remains at Being Configured or Being Removed for an 
extended period of time indicates a problem with the master server's ability to 
communicate with that VPN member. For more information, refer to the VPN 
online documentation. 


To synchronize the members of a VPN, complete the following steps: 


1. In NetWare Administrator, double-click the VPN master server and 
select the BorderManager Setup page. 


2. Click the VPN tab. 


Chapter 6: Setting Up Virtual Private Networks 99 


3. Double-click Master Site-to-Site under Enable Service. 


4. Click Status. 


The Synchronization Status window displays each member of the VPN, 
its public IP address, and its update status. 


5. Synchronize one or more servers. 
There are two synchronization options: 
N To synchronize all servers on the VPN, click Synchronize All. 
N To synchronize only one server on the VPN, highlight the server 


name and click Synchronize Selected. 


Setting Up Specific Site-to-Site VPN Configurations 
There are several different ways you can build your site-to-site VPN. 
Depending on the configuration you require, you will need to complete several 
different setup tasks. The following detailed examples are available in the VPN 
online documentation: 
° Using the VPN server as a border server 


° Using the VPN server behind a firewall 


° Setting up a VPN within a private network 


Note To correctly set up a VPN for a particular configuration, it is vital that you refer 
to the examples in the VPN online documentation. The examples contain 
procedures that are required for a particular configuration but are not included 
in the basic procedures provided in this publication. 


Setting Up Client-to-Site VPNs 


This section explains the tasks required to set up a client-to-site VPN and make 
a client-to-site connection. This section contains the following procedures: 


° “Setting Up a VPN Server to Support VPN Clients” on page 101 


° “Installing a VPN Dial-Up or LAN Client on a Windows 95, Windows 
98, or Windows NT Workstation” on page 104 
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° “Setting Up a VPN Dial-Up Client on a Windows 95, Windows 98, or 
Windows NT Workstation” on page 104 


N “Logging In from a VPN Client” on page 105 


° “Setting Up Specific Client-to-Site VPN Configurations” on page 108 


Setting Up a VPN Server to Support VPN Clients 


To set up a VPN server to support VPN clients, complete the following steps: 


1. Set up a NetWare server with the VPN software. 


If you want the server to be a member of a site-to-site VPN 
network (master or slave), set up the VPN server to be part of the 
VPN network, as described in “Setting Up the Master Server” on 
page 94 or “Setting Up a Slave Server” on page 96. 


If you want the server to support only remote clients and not be a 
member of a site-to-site VPN network, set up the VPN server as a 
VPN master, as described in “Setting Up the Master Server” on 
page 94. 


You must place the server in the path between your intranet and the 
Internet. If you have multiple access points to the Internet from 
your intranet, you must make sure the packets from the intranet can 
return to the VPN client through the VPN server. Packets will 
return to the client if you make the VPN server the default router 
on your network, or if you enable NAT on the private interface of 
your VPN server. 


2. In NetWare Administrator, double-click the VPN server that you 
want to support the clients and select the BorderManager Setup 


page. 


3. Click the VPN tab. 


4. Double-click Client-to-Site under Enable Service. 


5. (Optional) Configure the Inactivity Timeout parameter, if required. 
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To enable the encryption of IPX data for VPN clients, you must set 
WAN Client IPX Network Address to the IPX network address that 
VPN clients will use to access this server. 


This address must be unique and should not match the server's network 
address or the network address of any of the server's LAN adapters. If the 
client dials directly in to the VPN server using the remote access 
software, the IPX network address that you configured for remote access 
is automatically displayed. If you change the address in this field, the 
remote access software is updated with the new address. 


Important When IPX™ support is enabled for the VPN client on Windows 95 and Windows 
98 workstations, the client's IPX LAN connection is disabled after the VPN IPX 
connection is established. This also occurs when the client is not a VPN client 
and you use Dlal-Up Networking with IPX enabled. 


7. 


10. 
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(Optional) If you do not want the VPN clients to negotiate the data 
encryption and data authentication methods for the connection with 
the VPN server, select Restrict Clients to Use Server Preferred 
Security. 


To configure the server’s preferred security, select Details under Master 
Site-to-Site or Slave Site-to-Site. 


(Optional) If you want to specify a limited number of networks to 
which VPN clients can communicate securely using encryption, 
configure a list of protected networks. 


To add a network to the list, select Encrypt Only Networks Listed Below 
and click Add. Select the network address and subnet mask, and click 
OK. 


This step is optional because by default the client encrypts data to and 
from all networks. By specifying a list of protected networks, you enable 
the VPN client to send unencrypted IP traffic to the Internet and encrypt 
only intranet traffic. 


If you have an IPX-only network and do not want to encrypt IP traffic, 
select Do Not Encrypt Any IP Packets. 


(Optional) Click Digest to view the digest of the VPN server's 
configuration information. 


This digest is used to authenticate the information sent to the VPN client 
during its attempt to log in to the VPN server. 


Click OK, then select BorderManager Access Rules. 


11. 


12. 


13. 


14. 


15. 


To configure the NDS users, groups, or containers that are allowed 
to use this VPN server, complete the following substeps: 


lla. Click Add. 

11b. Select VPN Client for the access type. 

llc. Select Specified under Source and click Browse. 
lid. Click Add. 


lle. Select a user, group, or container from the list of objects in the 
NDS tree, then click OK. 


lif. Repeat Step 11d and Step Le for each additional object, as 
required. 


Click OK until you return to the VPN page. 


If needed, configure authentication rules and access methods. 


VPN clients can use security devices such as hardware tokens in addition 
to using their NDS password to authenticate to the VPN server. If a Login 
Policy object exists in your NDS tree, it is associated with all VPN 
version 3.5 servers in the tree, and authenticates VPN users using 
authentication rules and access methods defined in the object. See the 
Authentication Services online documentation for more information. 


If you have a Login Policy object in your tree, then only users that have 
a rule defined for their authentication method can connect to the VPN 
server. 


If users are accessing the VPN server using the remote access 
software, set up the remote access accounts for the users as described 
in the VPN online documentation. 


Provide VPN users with the following information by e-mail or 
telephone: 


N The NDS username and password assigned to each user for the tree 
that contains the VPN server 


N If users are accessing the VPN server through an ISP, the IP 
address of the VPN server 


N If users are dialing directly in to the VPN server, the remote access 
information (phone number and remote access password) 
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N (Optional) The digest of the VPN server configuration information 


Installing a VPN Dial-Up or LAN Client on a Windows 95, Windows 98, or Windows NT 
Workstation 


To install a VPN client on a Windows 95, Windows 98, or Windows NT 
workstation, complete the following steps: 


1. If you are using a dial-up client, verify that the workstation has a 
modem installed and set up. 


2. Insert the VPN client CD-ROM and start the installation program. 


3. Follow the online instructions in the installation program. Insert the 
Windows 95, Windows 98, or Windows NT CD-ROM or the 
CD-ROM containing the Novell Client™ software provided with 
BorderManager when prompted to do so. 


4. Restart the workstation when prompted. 


If the installation is successful, the Novell Virtual Private Network 
adapter will appear in the Windows 95 or Windows 98 Network Control 
Panel. For Windows NT systems, the Novell BorderManager VPN Client 
is listed under Services in the Network Control Panel. 


Setting Up a VPN Dial-Up Client on a Windows 95, Windows 98, or Windows NT 
Workstation 


A default dial-up entry named Novell VPN is automatically created for the 
VPN client during installation. This dial-up entry can be used to connect to 
your ISP by starting the VPN Login software. Use the VPN Login dialog box 
to configure various parameters before connecting to your ISP. These 
parameters include the dialing properties, the dialing location, the type of 
modem that is used, and the phone number, which can be entered manually or 
selected from a phone book listing. If you do not want to use the default dial- 
up entry, you can create a new entry using Microsoft Dial-Up Networking. 
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To create and configure a new dial-up entry on a Windows 95, Windows 98, or 
Windows NT workstation, complete the following steps: 


1. 


Create a new dial-up entry. 


la. 
1b. 


le. 


1d. 


Double-click Make New Connection. 
Enter the name of the dial-up entry and select the modem. 


Click Next and enter the area code, phone number, and 
country code. 


Click Next, then click Finish to complete the dial-up entry. 


For Windows 95 and Windows 98 clients, set the server type for the 
dial-up entry. For Windows NT clients, do not change the default 


setting. 

2a. Right-click the dial-up entry and select Properties, or select the 
dial-up entry and select Properties from the File menu. 

2b. Select Server Type. 

2c. Set Type of Dial-Up Server to Novell Virtual Private Network. 

2d. Click OK to save your changes. 


Logging In from a VPN Client 


Use the Dial-up VPN Login if you want to use a Microsoft Dial-Up 
Networking entry to connect to your ISP. 


Use the LAN VPN Login if you are already connected to your ISP through a 
cable modem, an ADSL device, a LAN connection, or an established dial-up 


connection. 


To log in from a VPN client, complete the following steps: 


1. 


Start the VPN login in one of the following ways and wait for the 
Novell VPN Login dialog box to appear: 


Double-click one of VPN Login icons that were automatically 
created during the client installation. 


For Windows 95 and Windows 98 clients, select Start > Programs 
> Novell > BorderManager VPN client > Dial-up VPN login or 
LAN VPN login. 
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N For Windows NT clients, select Start > Programs > NetWare > 
BorderManager VPN client > Dial-up VPN login or LAN VPN 
login. 


N On Windows 95 and Widows 98 workstations, double-click the 
VPN dial-up entry. The VPN Login program is launched when the 
specified dial-up connection is established. 


Select the NetWare Login tab in the Novell VPN Login dialog box 
and provide the following information: 


N NDS username 
N NDS password 
° NDS context 


V VPN server's IP address 


The IP address can be followed by a space and a description. 


N Token Password (Optional) 


This password is required only if you have configured the Login 
Policy object with rules requiring VPN clients to use a security 
device such as a hardware token in addition to using their NDS 
password. See the Authentication Services online documentation 
for more information on how to generate the token password and 
configure authentication rules. 


After the client has been successfully authenticated, this information 
(except for the password) is saved by the VPN client in the workstation's 
registry and is presented to the user the next time the VPN client comes 
up. The most recently used entries for the name and IP address are saved 
and displayed. 


For Dial-Up connections, select the Dial-Up tab and select a VPN 
dial-up entry name from the list of configured entries. 


(Optional) Enter the dial-up username and password if you have not 
connected using this dial-up entry before or your password was not 
saved. 


To configure the phone number and other dial properties, select Settings. 
You can override the dial-up password and phone number configured in 
the dial-up entry by selecting or entering new values. 


5. (Optional) If your ISP is using the RADIUS proxy feature to 
authenticate users, click Use NetWare Name and set RADIUS 
Domain to the name used by the ISP to identify the domain that 
contains the user when acting as an authentication request proxy. 


The name used for the dial-up authentication is the NetWare username 
and context, followed by the RADIUS domain that you enter. For 
example, if the username is User1, the context is Engineering. ACME, 
and the RADIUS domain is acme.com, then the name used for the dial- 
up authentication is .Userl.Engieering. ACME@acme.com. 


6. Select the NetWare Options tab and select from the following 
options: 


N Enable IPX Encryption—Enables the VPN client to communicate 
with the VPN server using IPX. 


Note If you configured your Novell Client software to use the compatibility mode driver 
(CMD), you can use the CMD to access IPX services through the VPN, instead 
of enabling IPX. 


N Login to NetWare—Automatically logs in to NetWare after the 
encrypted tunnel is established with the VPN server. 


N Clear Current Connection—Determines whether the connection 
replaces or augments your existing connections. 


N Run Scripts—Automatically executes your user login script. 


N Display Results Window—Automatically displays the result of 
login script processing. 


° Close Script Results Automatically—Automatically closes the 
script processing results page when the login is successful. 


7. Click the Launcher tab to specify an application that is launched 
after the encrypted tunnel has been established with the VPN server. 


8. Click OK to connect to the VPN server. 


9. If you are prompted to compare the summary of the authentication 
information to the information that the administrator distributed, 
click OK if the values match. 


This prompt is displayed only if you are connecting to this VPN server 
from this workstation for the first time or the VPN server has regenerated 
its keys. 
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10. 


11. 


(Optional) Click the VPN Status tab to view the progress of the VPN 
connection. 


After the connection is established, a VPN Client icon appears in the task 
bar. Double-click the icon to display VPN client statistics for this session. 
For more information about VPN client statistics, refer to the VPN online 
documentation. 


To terminate your VPN connection, double-click the VPN statistics 
icon and click Disconnect. 


On Windows NT systems, do not terminate your session by 
disconnecting your dial-up connection using the Dial-Up Monitor. You 
must terminate your VPN connection from the VPN Statistics screen. 


Setting Up Specific Client-to-Site VPN Configurations 


There are several different ways you can build your client-to-site VPN. 
Depending on the configuration you require, you will need to complete several 
different setup tasks. The following detailed examples are available in the VPN 
online documentation: 


Using the client to dial in to an ISP and connect to the VPN server over 
the Internet 


Using the client to dial directly in to the VPN server 


Using the client to connect to the VPN server through a LAN or cable 
modem 


Note To correctly set up a VPN for a particular configuration, it is vital that you refer 
to the examples in the VPN online documentation. The examples contain 
procedures that are required for a particular configuration but are not included 
in the basic procedures provided in this publication. 


Upgrading VPN from a Previous Version 


This section describes upgrading from the Novell® VPN software contained in 
BorderManager™ version 2.1 to the current BorderManager version (version 
3.5). This section contains the following procedures: 
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“Upgrading During a Complete VPN Shutdown” on page 110 


“Upgrading with the Master Server behind a Router” on page 110 


N “Upgrading with a Second Master Server behind a Router” on page 111 


N “Upgrading Using a Replacement for an Existing Master Server” on 
page 112 


Two approaches are available for upgrading from version 2.1 to version 3.5: 


N All the VPN servers can be reconfigured at one time, overnight or during 
a weekend. This involves installing the new software and regenerating 
the encryption information for all VPN servers. 


N A new VPN master server can be configured to operate in parallel with 
the existing version 2.1 master server, and the slave servers can be 
upgraded to the new network one at a time. 


The advantage of the first approach is that no new equipment or ISP 
connections are required to run a version 3.5 master server in parallel with the 
existing version 2.1 master server. However, sufficient down time is required 
to convert all version 2.1 servers to version 3.5 without interruption to service. 
The amount of time needed to transfer the encryption information to and from 
each slave server must be considered. The procedure for this approach is 
described in “Upgrading During a Complete VPN Shutdown” on page 110. 


The second approach requires an additional machine that can be used as the 
new VPN master server to be run in parallel with the existing version 2.1 
master server. The advantage of this approach is that the upgrade can take place 
over a period of time without causing complete loss of service. VPN slave 
servers that remain on the existing VPN can still communicate with each other, 
but they cannot communicate with any VPN members on the new VPN until 
the upgrade occurs. 


Use the second approach if: 


V The VPN master server is behind a router. 


This procedure is described in “Upgrading with the Master Server behind 
a Router” on page 110. Use the same procedure if you want to replace the 
existing master server instead of adding a new master server in parallel. 


N The VPN master server is connected directly to the ISP. 
There are two options in this case: 


V Add a new version master server on a LAN behind the machine 
that is acting as the existing version 2.1 master server. 
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This option requires an additional machine to be used as the new 
version 3.5 master server. However, this scenario is preferable in 
terms of performance. This procedure is described in “Upgrading 
with a Second Master Server behind a Router” on page 111. 


N Replace the existing version 2.1 master server with anew VPN 3.5 
master server and use the existing ISP connection with the new 
version 3.5 master server. 


This option does not require an additional machine for the new 
version 3.5 master server. The disadvantage is that after the version 
2.1 master server is removed, the remaining version 2.1 slave 
servers cannot be managed using the master server until they are 
upgraded to the new VPN. This procedure is described in 
“Upgrading Using a Replacement for an Existing Master Server” 
on page 112. 


Upgrading During a Complete VPN Shutdown 


To upgrade version 2.1 sites to version 3.5 during a complete VPN shutdown, 
complete the following steps: 


1. Install and configure the new VPN software on the master server. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


2. Configure the slave servers and regenerate the key for each new 


slave server using the master encryption information that was 
generated by the new master server. 


Refer to “Setting Up a Slave Server” on page 96 for detailed instructions. 


3. Add each slave server to the VPN. 
Refer to “Adding a Server to a VPN” on page 98 for detailed instructions. 
Upgrading with the Master Server behind a Router 


To upgrade version 2.1 sites to version 3.5 with the master server behind a 
router, complete the following steps: 


1. Designate a machine that will be used as the new VPN master server. 
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While keeping the original VPN master and slave servers running, 
install and configure the new master server on the same LAN. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


Important Continue to run the original VPN master server until you are instructed later in 
this procedure to bring it down. 


3. 


Select a slave server to upgrade to the new network, remove the slave 
server from the original network, and add it to the new network. 


Refer to the VPN online documentation and “Adding a Server to a VPN” 
on page 98 for detailed instructions. 


Regenerate the key for the new slave server using the master 
encryption information that was generated by the new master 
server. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


Repeat Step 3 and Step 4 for each slave server until all slave servers 
are removed from the original network and added to the new 
network. 


After all slave servers have been upgraded to the new VPN, bring 
down and disconnect the original master server. 


Complete the procedures described in “Adding a Server to a VPN” 
on page 98, as required. 


Upgrading with a Second Master Server behind a Router 


To upgrade version 2.1 sites to version 3.5 with a second master server behind 
a router, complete the following steps: 


1. 


2. 


Designate a machine that will be used as the new VPN master server. 


While keeping the original VPN master and slave servers running, 
install and configure the new master server on the LAN behind the 
original VPN master. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 
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Important Continue to run the original VPN master server until you are instructed later in 
this procedure to bring it down. 


3. 


Select a slave server to upgrade to the new network, remove the slave 
server from the original network, and add it to the new network. 


Refer to the VPN online documentation and “Adding a Server to a VPN” 
on page 98 for detailed instructions. 


Regenerate the key for the new slave server using the master 
encryption information that was generated by the new master 
server. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


Repeat Step 3 and Step 4 for each slave server until all slave servers 
are removed from the original network and added to the new 
network. 


After all slave servers have been upgraded to the new VPN, bring 
down and disconnect the original master server. 


Complete the procedures described in “Adding a Server to a VPN” 
on page 98, as required. 


Upgrading Using a Replacement for an Existing Master Server 


To upgrade version 2.1 sites to version 3.5 using a replacement for an existing 
master server, complete the following steps: 


1. 
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While keeping the version 2.1 slave servers running, install and 
configure the version 3.5 software on the original version 2.1 master 
server and use the same ISP connection. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


Select a slave server to upgrade to the new network, remove the slave 
server from the original network, and add it to the new network. 


Refer to the VPN online documentation and “Adding a Server to a VPN” 
on page 98 for detailed instructions. 


3. Regenerate the key for the new slave server using the master 
encryption information that was generated by the new master 
server. 


Refer to “Setting Up the Master Server” on page 94 for detailed 
instructions. 


4. Repeat Step 2 and Step 3 for each slave server until all slave servers 
are removed from the original network and added to the new 


network. 


5. Complete the procedures described in “Adding a Server to a VPN” 
on page 98, as required. 


Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, and management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the online documentation and include the following: 

° Selecting network protocols on your VPN 

° Specifying the networks protected by a site-to-site VPN 

° Setting up data encryption and data authentication methods 

° Selecting whether the connection is initiated from one or both sides 

N Adjusting the VPN server response timeout 

N Tuning master-slave server synchronization 

N Synchronizing VPN servers 


N Removing a slave server from a VPN 


N Selecting your VPN topology 


Chapter 6: Setting Up Virtual Private Networks 113 


114 Installation and Setup 


chapter 


Setting Up Access Control 


Access control is the process by which user access to Internet and intranet 
services is regulated and monitored. Specifically, the Novell® 
BorderManager™ access control software allows or denies access requests 
made through the Novell IP Gateway, Proxy Services, or a Virtual Private 
Network (VPN) client. 


When you enabled the Novell BorderManager HTTP proxy for all private 
interfaces during the software installation, access control was enabled by 
default. All HTTP proxy traffic through the private interface is denied until you 
configure an access rule to specifically allow users to access the HTTP proxy. 


When access control is enabled, the access control list (ACL)—comprising the 
access rules—also applies to the Novell IP Gateway, the application proxies, 
and VPN clients attempting to connect to a VPN server. 


An access rule can be created for a Country (C), Organization (O), 
Organizational Unit (OU), or Server object. This chapter explains how to set 
up basic access control so users can use the BorderManager services you 
enabled. 

This chapter contains the following sections: 


N “Setting Up a URL-Based Rule” on page 116 


N “Setting Up a Rule to Allow Access through the Novell IP Gateway” on 
page 118 


N “Setting Up a Rule to Allow Access through an Application Proxy” on 
page 120 


N “Setting Up a Rule to Allow VPN Clients to Access VPN Servers” on 
page 122 





° “Setting Up a Rule to Allow the Server to Resolve Hostnames” on 
page 123 
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° “Setting Up Time Restrictions for Access Rules” on page 124 
° “Viewing All Rules That Apply to an Object” on page 125 


° “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 125 


Note This chapter describes the tasks required to set up an initial implementation of 
access control. For planning and conceptual information about access control, 
refer to Novell BorderManager Enterprise Edition 3.5 Overview and Planning, 
available in the online documentation. Make sure you understand this 
information before setting up and configuring access control. 


Setting Up a URL-Based Rule 


URL-based access rules apply to users accessing Web content through the 
HTTP proxy or the Novell® IP Gateway. If you enabled the HTTP proxy for 
all private interfaces during the installation, the simplest way to allow users to 
access the HTTP proxy is to create a rule that allows any source on the private 
network to access any destination. 


To create an access rule for a URL, complete the following steps: 


1. In NetWare® Administrator, right-click the object where the access 
rules are to be created and select Details. 


2. Select the BorderManager Access Rules page and click Add. 


3. In the Access Rule Definition page, specify Allow (the default) for 
Action. If you will be using the CyberNOT™ list from Cyber Patrol*, 
change the action to Deny. 


4. For Access Type, select URL. 


5. Under Source, specify Any to apply the rule to all NDS™ objects, 
Domain Name System (DNS) hostnames, IP addresses, and subnets, 
and skip to Step 6. Otherwise, select users, groups, or hosts as 
follows: 


5a. Click Specified, then click Browse. 
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Note 


Note 


5b. 


5c. 
5d. 


Specify an NDS object, a DNS hostname, an IP address or 
range of addresses, or a subnet, including its subnet mask, then 
click Add. 


For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 


To add additional sources, repeat Step 5b. 


After you have added the sources you want, click OK. 


6. To set up a rule using the Cyber Patrol content categories, complete 
the following substeps. Otherwise, skip to Step 7. 


6a. 
6b. 


6c. 


6d. 


Under Destination, select Specified, then click Browse. 


From the drop-down menu, select CyberYES* List or 
CyberNOT List. These lists are available only after 
CPFILTER.NLM has been loaded on the server. 


Click the catagories in the CyberYES or CyberNOT list, then 
click OK. 


Skip to Step 8. 


You can use the Cyber Patrol lists free of charge during the 45-day trial 
subscription period. To use the lists after the trial period, you must extend your 
Cyber Patrol subscription. For more information on subscribing, refer to 
“Installing Cyber Patrol” on page 17. 


7. Under Destination, specify Any to apply the rule to any URL, 
otherwise select Specified and do the following: 


Ta. 
7b. 


Tc. 


Click Browse > Add. 


Enter the unqualified URL (www.novell.com, for example) and 
click OK. 


Repeat this process to add additional URLs, if necessary. 


You can use wildcards in the URLs. However, be aware that the HTTP proxy and 
the Novell IP Gateway enforce rules with wildcards differently. The HTTP proxy 
enforces a rule with a wildcard in the hostname of a URL, while the Novell IP 
Gateway does not. For example, the HTTP proxy enforces rules for http:// 

* novell.*, http://*novell.*, and http:/Awww.*.com, but the Novell IP Gateway 
ignores these rules. The Novell IP Gateway enforces rules containing wildcards 
only when the wildcard represents all the links from a home page, such as http:/ 
/www.novell.com/*. 
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(Optional) If you want the server to record all access attempts that 
match the rule, click Enable Rule Hit Logging. 


Logging access attempts can affect server performance; however, it is 
recommended that you do so to detect unathorized activity. 


Click OK, as necessary, to return to the BorderManager Access 
Rules page, then click OK to update the access rules. 


Setting Up a Rule to Allow Access through the Novell IP 


Gateway 


Access rules created for ports apply to users logged in from a Novell IP 
Gateway or SOCKS client. This section describes how to create an access rule 
for a port. 


To allow users to access specific services through the Novell IP Gateway, 
complete the following steps: 


1. 
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In NetWare® Administrator, right-click the object where the access 
rules are to be created and select Details. 


Select the BorderManager Access Rules page and click Add. 
In the Access Rule Definition page, specify Allow (the default). 
For Access Type, select Port. 


Specify the following under Access Details: 


° Select a service from the Service drop-down menu. 
N Enter an origin server port or range of ports. 
N Select a transport protocol from the Transport drop-down menu. 


Under Source, accept Any to apply the rule to all NDS™ objects, 
DNS hostnames, IP addresses, and subnets, click OK and proceed to 
Step 7. Otherwise, select users, groups, or hosts as follows: 


6a. Click Specified, then click Browse. 


Important 


6b. Specify an NDS object, a DNS hostname, an IP address or 
range of addresses, or a subnet, including its subnet mask, and 
click Add. 


For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 


6c. To add additional sources, repeat Step 6b. 


6d. After you have added the sources you want, click OK. 


Under Destination, specify Any to apply the rule to any destination, 
click OK and skip to Step 8. Otherwise select destinations as follows: 


7a. Click Specified, then click Browse. 


7b. Specify a DNS hostname, an IP address or range of addresses, 
or a subnet, including its subnet mask, and click Add. 


For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 


7c. To add additional destinations, repeat Step 7b. 


7d. After you have added all the destinations, click OK. 


If you create a rule that allows access to any destination whose hostname must 
be resolved by a DNS name server, you must create another rule that allows the 
BorderManager™ server to resolve the hostname. Refer to “Setting Up a Rule 
to Allow the Server to Resolve Hostnames’” on page 123. 


8. 


10. 


11. 


(Optional) If you want the server to record all access attempts that 
match the rule, click Enable Rule Hit Logging. 


Logging access attempts can affect server performance; however, it is 
recommended that you do so to detect unathorized activity. 


Click OK to close the Access Rule Definition page. 


Repeat Step 2 through Step 9 for each service you want users to be 
able to access. 


Click OK, as necessary, to return to the BorderManager Access 
Rules page, then click OK to update the access rules. 
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Setting Up a Rule to Allow Access through an Application 


Proxy 


If you set up port rules to allow HTTP (port 80), FTP (port 21), Telnet (port 23), 
Simple Mail Transport Protocol (SMTP) (port 25), Network News Transfer 
Protocol (NNTP) news (port 119), or Real Audio" (port 7070), they apply only 
if users are accessing these services through the Novell® IP Gateway. When a 
user is accessing an application proxy, these rules are ignored. If you want 
similar rules to apply to users accessing these services through an application 
proxy, you must set up access rules for the individual application proxies. 


To create an access rule for an Proxy Services, complete the following steps: 


1. 
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In NetWare® Administrator, right-click the object where the access 
rules are to be created and select Details. 


Select the BorderManager Access Rules page and click Add. 
In the Access Rule Definition page, specify Allow (the default). 
For Access Type, select Application Proxy. 


For Access Details select a proxy from the Proxy drop-down menu. 


The port number information is automatically filled in for you. If you 
selected the News proxy, a drop-down menu is added that allows you to 
specify the direction: Posting or Reading. 


Under Source, accept Any to apply the rule to all NDS™ objects, 
DNS hostnames, IP addresses, and subnets, and skip to Step 7. 
Otherwise, select users, groups, or hosts as follows: 


6a. Click Specified, then click Browse. 


6b. If you did not select the SMTP Mail or News proxy in Step 4, 
specify an NDS object, a DNS hostname, an IP address or 
range of addresses, or a subnet, including its subnet mask, then 
click Add. 


For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 


If you selected the RealAudio, Generic TCP, Generic UDP, or 
Telnet proxy in Step 4, you can specify an IP address or a subnet 
address only. 


6c. 


6d. 


6e. 


6f. 


If you selected the SMTP Mail proxy in Step 4, specify an 
e-mail user name or an e-mail domain name to specify all users 
in the domain, then click Add. 


If you selected the News proxy in Step 4 and selected Posting 
for the direction, specify an e-mail username, then click Add. 


To add additional sources, repeat Step 6b, Step 6c, or Step 6d. 


When you have added the sources you want, click OK. 


7. Under Destination, accept Any to apply the rule to any destination 
and skip to Step 7f; otherwise select destinations as follows: 
7a. Click Specified, then click Browse. 
7b. If you did not select the SMTP Mail or News proxy in Step 4, 
specify a DNS hostname, an IP address or range of addresses, 
or a subnet, including its subnet mask, then click Add. 
For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 
7c. If you selected the SMTP Mail proxy in Step 4, specify an e- 
mail username or an e-mail domain name to specify all users in 
the domain, then click Add. 
7d. If you selected the News proxy in Step 4, specify a news group 
name, then click Add. 
7e. To add additional destinations, repeat Step 7b, Step 7c, or Step 
7d. 
7f. After you have added all the destinations, click OK. 
Important If you create a rule that allows access to any destination whose hostname must 


be resolved by a DNS name server, you must create another rule that allows the 
BorderManager™ server to resolve the hostname. Refer to “Setting Up a Rule 
to Allow the Server to Resolve Hostnames’” on page 123. 


8. 


(Optional) If you want the server to record all access attempts that 
match the rule, click Enable Rule Hit Logging. 


Logging access attempts can affect server performance; however, it is 
recommended that you do so to detect unathorized activity. 


Click OK, as necessary, to return to the BorderManager Access 
Rules page, then click OK to update the access rules. 
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Setting Up a Rule to Allow VPN Clients to Access VPN 


Servers 


Access rules for VPN clients apply to both VPN LAN clients and to VPN 
clients that are attempting to connect to a VPN server using a dial-in 
connection. 


To create an access rule for a VPN Client, complete the following steps: 


1. 
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In NetWare® Administrator, right-click the object where the access 
rules are to be created and select Details. 


Select the BorderManager Access Rules page and click Add. 
In the Access Rule Definition page, specify Allow (the default). 
For Access Type, select VPN Client. 


Under Source, accept Any to apply the rule to all NDS™ objects, 
DNS hostnames, IP addresses, and subnets, and skip to Step 6. 
Otherwise, select users, groups, or hosts as follows: 


5a. Click Specified, then click Browse. 


5b. Click Add, select from among the available objects in the NDS 
tree, and click OK. 


5c. To add additional sources, repeat Step 5b. 


5d. When you have added the sources you want, click OK. 


Under Destination, accept Any to apply the rule to any VPN server 
in the NDS tree and skip to Step 8; otherwise select destinations as 
follows: 


6a. Click Specified, then click Browse. 


6b. Click Add, select from among the available server objects in 
the NDS tree, and click OK. 


6c. To add additional destinations, repeat Step 6b. 
6d. After you have added all the destinations, click OK. 


(Optional) If you want the server to record all access attempts that 
match the rule, click Enable Rule Hit Logging. 


Logging access attempts can affect server performance; however, it is 
recommended that you do so to detect unathorized activity. 


Click OK, as necessary, to return to the BorderManager Access 
Rules page, then click OK to update the access rules. 


Setting Up a Rule to Allow the Server to Resolve Hostnames 


If you create any rules that allow access to hostname destinations that must be 
resolved by a DNS name server, you must create another rule at the 
Organization (O) or Organizational Unit (OU) object that contains the Novell® 
BorderManager™ server to allow the server to resolve the hostname. 


To create an access rule to allow the server access a DNS host to resolve a 
hostname, complete the following steps: 


1. 


In NetWare® Administrator, right-click the object where the access 
rules are to be created and select Details. 


Select the BorderManager Access Rules page and click Add. 
In the Access Rule Definition page, specify Allow (the default value). 


For Access Type, select DNS. 


The port number 53 appears in the Port field. Allowing outbound access 
to port 53 enables the BorderManager server to issue a DNS query. 


Under Source, accept Any. 
Under Destination, accept Any to allow any DNS name server to 


resolve the hostname and skip to Step 8; otherwise select destinations 
as follows: 


6a. Click Specified, then click Browse. 
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6b. Specify a DNS hostname and click Add. 


For DNS hostname specifications, you can use the wildcard 
character (*) in your entry. 


6c. To add additional destinations, repeat Step 6b. 
After you have added all the destinations, click OK. 


(Optional) If you want the server to record all access attempts that 
match the rule, click Enable Rule Hit Logging. 


Logging access attempts can affect server performance; however, it is 
recommended that you do so to detect unathorized activity. 


Click OK, as necessary, until you return to the BorderManager 
Access Rules page, then click OK to update the access rules. 


Setting Up Time Restrictions for Access Rules 


By default, access rules you create are enforced 24 hours a day, every day. If 
you want to specify when access rules are enforced, you can set up a time 
restriction for each rule so it is effective only during a part of the day or week. 


To specify time restrictions for an access rule, complete the following steps: 


1. 
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In NetWare® Administrator, right-click the object where the access 
rule has been created and select Details. 


Select the BorderManager Access Rules page. 


In the access rules list, highlight the access rule for which you want 
to specify time restrictions. Click Time Restrictions, then click 
Specified. 


In the grid, click and drag through the days and times that you want 
the access rule to be in effect. 


A highlighted area means the access rule applies to the source only 
during that time. To revert to enforcing the rule at all times, click None. 


Click OK to return to the BorderManager Access Rules page, then 
click OK to update the access rules. 


Viewing All Rules That Apply to an Object 


Because access rules can be applied to different object classes in an NDS™ 
tree, more than one rule can affect a single object. The effective rules of an 
object are all access rules, in order of execution, from the Server object up to 
the root of the NDS tree. 


To view the effective rules of an object, complete the following steps: 


1. From an administrator workstation, log in to the NDS tree where the 
Novell® BorderManager™ server is located and start the NetWare® 
Administrator utility. 


2. Locate the source object for which you want to view access rules in 
the NDS tree, right-click the object, and select Details. 


The object must be a Server, Organization, Organizational Unit, or 
Country. 


3. Select the BorderManager Access Rules page. 


4. Click Effective Rules. 


A new window displays all access rules in the order they are applied. 


Note New access rules will not be displayed in the effective rules list until the server 
is updated (Refresh Server) because they are not yet saved in NDS. 


Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the access control online documentation and include the 
following: 

N Viewing user statistics 


N Viewing user log entries 


N Viewing rule descriptions 
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N Viewing host statistics 
N Viewing host record entries 
N Viewing usage trends 


N Exporting data 
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Setting Up Novell BorderManager 
Authentication Services 


Novell® BorderManager™ Authentication Services enable remote users to dial 
in to NetWare® networks and access network information and resources. It 
maintains security by requiring users to authenticate using the Remote 
Authentication Dial-In User Service (RADIUS) protocol. It is comprised of the 
following three components: 


RADIUS server (the NetWare server on which you install the 
BorderManager Authentication Services software) 


Network access server (the device remote users dial in to) 


Administration workstation (NetWare Administrator) 


This chapter contains the following sections: 


Chapter 8: 


“BorderManager Authentication Services Prerequisites” on page 128 
“Upgrading From A Previous Version” on page 128 

“Creating a Dial Access System Object” on page 129 

“Creating a Dial Access Profile Object” on page 132 

“Enabling a User for Dial Access Services” on page 134 

“Starting Novell BorderManager Authentication Services” on page 135 
“Testing Novell BorderManager Authentication Services” on page 136 


“Completing Advanced Setup, Configuration, and Management Tasks” 
on page 137 
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Note This chapter describes the tasks required to set up, start, and test an initial 
implementation of BorderManager Authentication Services. For planning and 
conceptual information about BorderManager Authentication Services, refer to 
Novell BorderManager Enterprise Edition 3.5 Overview and Planning, available 
in the online documentation. Make sure you understand this information before 
setting up and configuring BorderManager Authentication Services. 


BorderManager Authentication Services Prerequisites 


Before you set up Novell® BorderManager™ Authentication Services, verify 
that the following prerequisites have been met: 


N TCP/IP is configured and functioning on the RADIUS server and the 
network access server 


N The network access server is RADIUS compliant (IETF RFC 2138 and 
RFC 2139 for accounting support) 


N RADIUS authentication is enabled on the network access server 


N RADIUS server address on the network access server is set to the 
NetWare® server on which the RADIUS server software will be installed 


N RADIUS secret is established and known by the network access server 


Upgrading From A Previous Version 


If you are upgrading Novell® BorderManager™ Authentication Services 
configuration information created with a previous version of the product to the 
current version, consider the following issues: 
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RADIUS Server The current RADIUS server (RADIUS.NLM) can work 
with dial access configurations created with both 
previous and current versions of BorderManager 
Authentication Services. 


NetWare Administrator The current snap-in module to NetWare® Administrator 
converts the dial access configuration created in a 
previous version to a new format that is incompatible 
with previous versions of NetWare Administrator. 


Previous versions of the snap-in module to NetWare 
Administrator must only be used with a dial access 
configuration created using this snap-in module. 


A previous version of the snap-in module to NetWare 
Administrator cannot be used with the current version of 
the RADIUS server. 





Creating a Dial Access System Object 


An NDS™ Dial Access System object stores configuration information for 
RADIUS servers and can manage a common configuration for a collection of 
RADIUS servers working together. You must create at least one Dial Access 
System object in the NDS tree where your RADIUS server resides. All 
participating RADIUS servers use the Dial Access System object for 
configuration. The information stored in the object includes the following: 


N Clients—Allows you to define IP addresses for the network access 
servers and the shared secrets used among the RADIUS servers, network 
access servers, and proxy RADIUS servers from which requests will be 


received. 


N Domains—Allow you to configure other RADIUS servers to which you 
want to forward RADIUS requests. 


N Username Resolution—Defines the search path for objects. 


N Miscellaneous—Allows you to change the Dial Access System password 
and to install an attribute file. 


N Remote connection restrictions—Allow you to restrict the number of 
concurrent remote connections. 
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To create a Dial Access System object, complete the following steps: 


1. 
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In NetWare® Administrator, select the Organization or 
Organizational Unit object where you want to place the Dial Access 
System object. 


From the Object menu, click Create > Dial Access System > OK. 


Enter the name for the Dial Access System object and click Create. 


Double-click the Dial Access System object you just created, then 
click Clients > Add. 


4a. 


4b. 


4c. 


4d. 


4e. 


Enter the IP address of the network access server in the Client 
Address field. 


Select Client Type (the default is Generic RADIUS). 


Enter the RADIUS secret. Reenter the secret. 


The RADIUS secret should be a random string of 20 to 30 
alphanumeric characters. The secret is used to protect 
authentication information sent across the network. 


Check Add Another Client if you want to add another network 
access server after you created this one. Leave this check box 

unchecked if this is the last (or only) RADIUS client that you 

will create. 


Click OK. 


Select Username Resolution. 


5a. 


5b. 


5c. 


5d. 


Click Disable if you want to disable users from using their NDS 
common name for login. 


Click Use NDS Find to Resolve Usernames if you want to 
search the NDS database for a user’s name. 


Click Use Lookup Contexts List to Resolve Usernames if you 
want to specify search paths for the name contexts, click Add, 
and then browse and select the name context. 


Click OK. 


Select Miscellaneous. 


7. Select Change Dial Access System Password. 
7a. Enter the new password. 


The Dial Access System password is used to generate encryption 
keys that protect passwords and secrets. Therefore, we recommend 
that the Dial Access System password be a random string of 20 to 
30 alphanumeric characters. The password is required to start the 
service. 


7b. Reenter the new password and click OK. 
8. Click OK twice. 


You are now ready to create a Dial Access Profile object. Refer to the NetWare 
Administrator online help for information about specific configuration 
procedures for domains and remote connection restrictions. 


Creating a Dial Access Profile Object 


Each Dial Access Profile object defines the common attributes of a service 
used by one or more dial-in users. This simplifies administration by eliminating 
the need to configure the attributes of each user. You can define as many 
profiles as required to define different services. For example, you can create a 
Telnet profile that enables users to connect a terminal server to a host. You can 
also create a Telnet profile that enables users to connect to a host using a 
terminal or a terminal emulation program. 


The Dial Access Profile object contains a list of RADIUS attributes that specify 
the configuration for creating a specific service. 


Creating a Dial Access Profile Object for PPP Service 


To create a Dial Access Profile object for the Point-to-Point Protocol (PPP) 
service, complete the following steps: 


1. InNetWare® Administrator, select or create the Organizational Unit 
where you want to place the Dial Access Profile object. 


2. From the Object menu, click Create > Dial Access Profile > OK. 


3. Enter a name for the Dial Access Profile object (such as PPP) and 
click Create. 
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7. 


Double-click the Dial Access Profile object you just created, then 
click Attributes > Add. 


4a. Double-click Generic. 


4b. Select Service-Type from the Attribute list and select Framed 
in the Value field. 


4c. Select Framed-Protocol from the Attribute list and select PPP 
in the Value field. 


Select the appropriate attributes from the list and click OK. 


When you have finished adding attributes, uncheck Add Another 
Attribute. Click OK from the Edit Attribute dialog box. 


Click OK. 


You can now enable users for dial access services. 


Creating a Dial Access Profile Object for Telnet Service 


To create a Dial Access Profile object for Telnet service, complete the 
following steps: 


1. 
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In NetWare® Administrator, select or create the Organizational Unit 
where you want to place the Dial Access Profile object. 


From the Object menu, click Create > Dial Access Profile > OK. 


Enter a name for the Dial Access Profile object (such as Telnet) and 
click Create. 


Double-click the Dial Access Profile object you just created, then 
click Attributes > Add. 


4a. Double-click Generic. 


4b. Select Service-Type from the Attribute list and Select Login in 
the Value field. 


4c. Select Login-Service from the Attribute list and select Telnet in 
the Value field. 


4d. Select Login-IP-Host from the Attribute list and enter the host 
IP address in the Value field. 


5. When you have finished adding attributes, uncheck Add Another 
Attribute. Click OK from the Edit Attribute dialog box. 


6. Click OK. 


You can now enable users for dial access services. 


Enabling a User for Dial Access Services 


Note 


Dial access properties are added to the User object when the Novell® 
BorderManager™ Authentication Services software is installed. The User Dial 
Access Services property page allows you to 


N Enable a user for dial access services 
N Select the appropriate Dial Access System for the user 


N Set the Dial Access System password for the user (if you use separate 
passwords for dial-in users) 


N Configure or define dial-in services for the user 


° Select a default service if a user is configured for more than one dial 
access service 


In addition, the Organization and Organizational Unit Dial Access Services 
property pages let you define default dial access properties for all users in the 
selected container. You can also manage dial access services using a Group 
object. Refer to the NetWare® Administrator online help for information about 
specific configuration procedures. 


You can specify dial access properties that are unique to a User object on a per- 
property basis. This means that a User object dial access setting can override 
the dial access setting of the parent container object, but other settings that are 
not overridden in the User object will always be inherited from the parent 
container object. 


To enable a user for dial access services, complete the following steps: 


1. In Netware Administrator, click the User object that you want to 
enable for dial access services and select Dial Access Services. 
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2. 


Select one of the following Dial Access Control settings: 
V Disable—Disables dial access services for this user. 
V Enable—Enables dial access services for this user. 


N Use Container Setting—Specifies that the Dial Access Control 
setting will be inherited from the parent container object. 


Note You can still specify dial access properties that are unique to a User object ona 
per-property basis when Use Container Setting is selected. Settings that are not 
overridden are always inherited from the parent container object. 


3. 


5. 


Browse the NDS™ tree and select a Dial Access System object. 


In most situations, all users select the same Dial Access System object. 


If the password policy is set to Use Separate Dial Access Passwords, 
complete the following substeps: 


4a. Click Set Dial Access Password. 


4b. Enter the password. Reenter the password and click OK. 


The Set Dial Access Password button might be disabled for one of 
the following reasons: 


e Use NDS Password is selected in the Dial Access System 
object. 


e No Dial Access System object is specified for the User object 
or the parent container. 


e No password is set for the Dial Access System object. 


If desired, select additional configured services and the appropriate 
attributes. Click OK twice. 


You can now start BorderManager Authentication Services. 


Starting Novell BorderManager Authentication Services 


You should have performed the following tasks before you start Novell® 
BorderManager™ Authentication Services: 
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Create a Dial Access System object 


N Create a Dial Access Profile object 


° Enable one or more User objects for dial access services 
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To start the BorderManager Authentication Services program on a NetWare® 
server, complete the following steps: 


1. 


Enter the following command at the server console for 
BorderManager Authentication Services: 


LOAD RADIUS 


TCP/IP should already be configured and running. 
Enter the distinguished name of the Dial Access System object. 


Enter the password of the Dial Access System object. 


The following message should be displayed: 


RADIUS services started. 


You can now use BorderManager Authentication Services. 


Refer to “Testing Novell BorderManager Authentication Services” if you want 
to test whether your BorderManager Authentication Services configuration is 
working properly. 


Testing Novell BorderManager Authentication Services 


To determine whether your Novell® BorderManager™ Authentication 
Services configuration is working properly, complete the following steps: 


1. 
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In NetWare® Administrator, check that you have a valid Dial Access 
System object. 


Create a new Dial Access Profile object. 
Enter PPP for the Dial Access Profile name and click OK. 


Click the newly created PPP Dial Access Profile object > Attributes 
> Add. 


In the Attribute field, select Service-Type from the list. 
In the Value field, select Framed. 


Uncheck Add Another Attribute and click OK twice. 


10. 


12. 


13. 


14. 


15. 


Click the User object that you want to enable for PPP access > Dial 
Access Services. 


Select the Dial Access System object that you already created. 
Under Configured Services, select Add. 


Select the PPP Dial Access Profile object that you already created 
and click OK twice. 


From a dial-in client configured to use PPP, connect to the network 
access server. 


When prompted for a username, enter the distinguished name of the 
newly enabled User object, for example, .eric.acme. 


Enter the password for the user. 


Check the dial-in client to see whether it has access to the network. 


Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the BorderManager Authentication Services online 
documentation and include the following: 


Changing RADIUS server options 

Setting up dial access services and dial access attributes 

Setting up user and groups for container and group administration 
Setting up remote connection restrictions 

Planning token authentication 

Managing token authentication 


Planning authentication policies 
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N Setting up authentication policies 
° Planning RADIUS proxy services 
° Managing RADIUS proxy services 


° Displaying RADIUS status messages 
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chapter 


Note 


Setting Up Alert Notification 


Novell® BorderManager™ Alert monitors server performance and security, 
and reports potential or existing server problems that affect the performance of 
configured BorderManager services. 


BorderManager Alert reports server events indicating a potential problem with 
any of the following: 


° Server performance 


N License acquisition, excluding BorderManager Authentication Services 
licenses; BorderManager Alert will not report a problem with a 
BorderManager Authentication Services license 


N Security 
e Proxy server connections 


When an alert is triggered on a BorderManager server, the default notification 
includes the following: 


N An e-mail message (sent to all e-mail addresses in the E-mail Alert list) 
N An entry in the server's audit trail log file 


V A server console message 


BorderManager Alert output supports automatic paging from your e-mail 
system. This requires additional configuration and the process varies depending 
on the e-mail software you use. Consult your e-mail software documentation to 
determine if this option is configurable for your system. 


This chapter explains the tasks you need to complete to set up an initial 
implementation of BorderManager Alert e-mail notification. It contains the 
following sections: 


N “Setting Up Alert E-Mail Notification” on page 140 
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N “Completing Advanced Setup, Configuration, and Management Tasks” 
on page 143 


Important BorderManager Alert monitors a predefined set of server events. However, you 
can select the individual events for which you want to receive notification. 


Note This chapter describes the tasks required to set up an initial implementation of 
BorderManager Alert. For planning and conceptual information about 
BorderManager Alert, refer to Novell BorderManager Enterprise Edition 3.5 
Overview and Planning, available in the online documentation. Make sure you 
understand this information before setting up and configuring BorderManager 
Alert. 


Setting Up Alert E-Mail Notification 


To set up Novell® BorderManager™ e-mail notification, complete the 
following steps: 


1. In NetWare® Administrator, locate the object in the NDS™ tree 
where the alert configuration will be specified, then right-click the 
object and select Details. 


An alert can be configured only for an Organization (O), Organizational 
Unit (OU), or Server object. 


2. Click the BorderManager Alert page. 


3. Select one of the following notification schemes: 


N Inherit (default)—Specifies that an alert configuration is obtained 
from a container higher up in the NDS tree. An alert configured for 
a Server object cannot be inherited by another container or Server 
object. 


Inherit disables the E-mail Alert and E-mail Servers lists for the 
selected NDS object. If these lists have been previously 
configured, the recipients and servers in the lists are deleted after 
you click OK. 


To view the inherited information, click Effective Configuration. 
The Effective Configuration information is read-only. To change 
the alert information, identify the NDS container in the Location of 
Specification field and open the BorderManager Alert page from 
that containers Details page. 
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Send Alert—Enables the E-mail Alert and E-mail Servers lists you 
configure for the selected NDS object. To specify e-mail recipients 
and servers, continue with Step 4. 


None—Disables the alert service. No event or error notification 
will occur. However, selecting None preserves your configuration; 
recipients and servers are only inactive. 


4. (Optional) If you selected Send Alert in Step 3, specify the alert 
conditions for which you want notification. 


da. 
4b. 
4c. 
4d. 


Click Alert Conditions. 
Click Specific (the default is All). 
Check the check boxes to select the alert conditions. 


Click OK. 


5. Specify E-mail Alert Recipients and E-mail Servers. 


Note The BorderManager server must be configured with at least one e-mail server. 
Otherwise, alert notification will fail. 


5a. 


5b. 


5c. 


Click Add for the E-mail Alert field and enter the e-mail 
address of the person to be notified by BorderManager Alert. 


Add as many e-mail recipients as necessary. There is no upper limit 
on the number of recipients that can be added. 


(Optional) To remove a recipient from the list, highlight the 
recipient's e-mail address and click Delete for the E-mail Alert 
field. 


Click Add for the E-mail Server’s field and enter the e-mail 
server name or IP address for the recipients added in Step 5a. 


The first server in the list is the primary e-mail server. The primary 
server receives alert messages and routes them to other e-mail 
servers on the network, if necessary. 


All other servers in the list act as backup e-mail servers if the 
primary server fails to route the e-mail. This can occur if e-mail 
forwarding has been disabled on the primary server or if the 
primary server is down. 
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Add as many e-mail servers as necessary. Although there is no 
upper limit on the number of backup servers that can be added, 
BorderManager Alert sends alerts to only one e-mail server on the 
list. 


Hint To increase the performance of BorderManager Alert, enter the IP addresses of 
e-mail servers. When IP addresses are used, the BorderManager server is not 
required to process Domain Name System (DNS) lookups to resolve the DNS 
hostnames of e-mail servers. 


5d. (Optional) To remove an e-mail server’s from the list, highlight 
the e-mail server name or IP address and click Delete for the 
E-mail Server field. 


5e. (Optional) To change an e-mail server's status as a primary or 
backup server, click the Up-arrow or Down-arrow to move the 
e-mail server's name or IP address up or down the list. 


Click OK to save the configuration and exit the Details page. 


Clicking OK saves the configuration changes in NDS and notifies 
BRDSRV.NLM that a configuration change has occurred. Alert 
configurations are updated on each NDS replica during normal NDS 
synchronization. 


If you enabled an alert configuration for an entire organization, it might 
take a while for all BorderManager servers to be notified of the 
configuration change in NDS. 


(Optional) If you enabled an alert configuration for an entire 
organization and want a specific server to use the alert configuration 
immediately, rather than after NDS synchronization occurs, 
complete the following substeps: 


7a. Double-click the Server object representing the 
BorderManager server you want to begin using the alert 
configuration immediately. 


7b. From the Server object's Details page, click BorderManager 
Alert to view the BorderManager Alert page for the server. 


7c. Click Refresh Server. 


Important When you first open the BorderManager Alert page, the Refresh Server button 
is available. Clicking Refresh Server causes BRDSRV.NLM to read the new alert 
configuration for this server only. It does not trigger a full NDS synchronization. 
If you modify the alert configuration for this Server object, the Refresh Server 
button is inactive and no longer an option. 
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Completing Advanced Setup, Configuration, and 
Management Tasks 


In addition to the basic setup procedures described in this chapter, there are 
several advanced setup, configuration, or management procedures you might 
need to complete, depending on your specific configuration. Advanced tasks 
are available in the BorderManager Alert online documentation and include the 
following: 

N Viewing alerts sent as e-mail messages 

N Viewing alerts in the audit trail log file 


N Viewing alerts in the console log 


N Responding to alerts 
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appendix 
Meeting the Prerequisites 


This appendix provides reference information for installing and configuring 
your NetWare® server with the prerequisite software for Novell® 
BorderManager™, and includes the following sections: 

° “NetWare 5 Prerequisites” on page 145 

° “Preparing the Server” on page 146 

N “Installing NetWare 5” on page 146 

N “Upgrading to NetWare 5” on page 147 

° “Adding an NDS Replica” on page 147 


° “Installing Support Pack Software” on page 148 


° “Configuring TCP/IP” on page 150 


NetWare 5 Prerequisites 


To install the NetWare 5™ operating system or upgrade an existing NetWare® 
server, review the following checklist and ensure that your server meets the 
prerequisites. 


C] PC with an Intel* Pentium* or higher processor. 


Ol vGAor higher-resolution monitor (SVGA recommended; SVGA 
requires a VESA-compliant video card). 


O One or more network boards. 


D 


Serial or PS/2* mouse (recommended). 


D 


CD-ROM drive that can read ISO 9660 formatted CD-ROM disks. 
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DOS drivers for the CD-ROM drive to support a local upgrade. 


Novell® Client™ for DOS and Windows 3.1x to support the network 
upgrade. 


For a NetWare 5 installation, 1 GB of available disk space (2 GB 
recommended) and 64 MB of RAM (128 MB of RAM is recommended). 


For an upgrade to NetWare 5, a 30-MB boot (DOS) partition (50 MB is 
recommended). An upgrade also requires a NetWare partition with 290 
MB of available disk space or 290 MB of free space to create a new 
partition. 


A NetWare 5 license. Novell BorderManager Enterprise Edition includes 
a runtime license (NW5_5.NLF). This license is located in the 
\LICENSE directory on the license diskette. 


Preparing the Server 


To prepare the server for installing NetWare 5™, complete the following steps: 


1. 


2. 


Start a computer with DOS 3.3 or later. 


Use the FDISK command to create a 50-MB boot partition and make 
it active. 


Use the FORMAT /S command to format and transfer system files to 
the boot partition. 


If you are installing NetWare 5 from the CD-ROM, install the 
software necessary to access the CD-ROM drive. 


If you are installing NetWare 5 from the network, install Novell 
Client™ for DOS and Windows 3.1x to access the network. 


Installing NetWare 5 


For detailed instructions on installing NetWare 5™, refer to the NetWare 5 
documentation. 
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Upgrading to NetWare 5 


NetWare 5™ can be installed as an upgrade to an existing NetWare® 3. 1x or 
NetWare 4.1 or later server. For detailed instructions, refer to the NetWare 5 
documentation. 


Adding an NDS Replica 


Because Novell® BorderManager™ is a Novell Licensing Services (NLS) 
enabled application, the first BorderManager server installed into a tree or a 
particular partition must be installed on a NetWare® server that holds a read/ 
write replica of that partition. All BorderManager servers installed into the 
same partition at a later time are not required to have a read/write replica. You 
do not need to add a replica to install BorderManager on the first three servers 
in a tree because these servers already have NDS™ replicas by default. The 
first server holds a master, and the second and third servers hold read/write 
replicas. Use the NDS Manager utility to add a read/write replica. 


To add a read/write replica to a server, complete the following steps: 


1. 


From your administration workstation, run the NDS Manager 
utility (SYS:\PUBLIC\WIN95\NDSMGR32.EXE). 


Select the partition you want to replicate. 
From the object menu, select Add Replica. 
Click Browse to select the server on which to place the replica. 


Click the Server object representing the NetWare server to which 
you want to add the read/write replica, then click OK. 


Click the Read/Write radio button, then click OK. 


Select Yes to continue. 
After the utility adds the replica, the replica's status is displayed as New. 
After the status of the replica changes to On, you can continue with the 


BorderManager installation. 


From the object menu, select Exit. 
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Installing Support Pack Software 


You must install Support Pack 2 or later on your NetWare 5™ server and 
Support Pack 6 or later on your NetWare® 4.11 or later server before you can 
install Novell® BorderManager™ software. Support Pack 6 for NetWare 4.11 
includes the Novell Licensing Services (NLS) Kit. 


The latest Consolidated Support Pack (CSP) is included on a CD-ROM 
shipped with BorderManager. The CSP includes the latest NetWare 5 and 
NetWare 4.x Support Packs. You can also download the latest CSP from the 
Novell Technical Support Web site. We recommend that you use the latest 
Support Pack available. 


Both Support Packs are installed using the PINSTALL utility. To install the 
either Support Pack on your server from a CD-ROM drive, complete the 
following steps: 


1. At the NetWare server console prompt, enter 


LOAD INSTALL 
2. Select Product Options > Install a Product Not Installed. 
3. Press F3. 


4. Replace A:\ with path to the support pack, then press Enter. 


If you are installing from the BorderManager CD-ROM, enter the drive 
label and path. On NetWare 5, which mounts CD-ROMs as volumes, use 
the volume label, BMEE35_DES: (for the 56-bit encryption version) or 
BMEE35_3DES (for the 128-bit encryption version), and the remainder 
of the file path, \CSP\NWS5SP2, to install the NetWare 5 support pack). 
On NetWare 4, which can read the CD-ROM as a drive, use D:\ and the 
remainder of the path, \CSP\SPACK6A, to install the NetWare 4 support 
pack. 


A warning message is displayed. 


5. Select Continue and access the CD-ROM, then press Enter. 
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10. 


11. 


12. 


13. 


Check the appropriate installation options. 


You must select the options to back up the files replaced by the Support 
Pack, and to install the Support Pack. Additionally, on NetWare 4, you 
must also select the option to install the Disk, LAN, and WAN updates, 
and the Novell Licensing Services Kit (NLSKIT). The NLS is already 
installed on NetWare 5 systems. 


Verify your installation selections, then press F10 to start the 
installation. 


You might receive the error message SETUPNLS could not be loaded. If 
you receive this message, press Enter to continue. 


At the Novell Licensing Setup Complete window, press Enter. 
At the Support Pack Installation Complete window, press Enter. 
Exit the installation utility. 


Enter the following commands to restart the server: 
DOWN 
RESTART SERVER 


A message is displayed warning you that to install BorderManager, you 
must run SETUPNLS.NLM on the server to convert your old licensing 
data and extend the schema. 


At the server prompt, enter 
LOAD SETUPNLS 


Select Yes to convert NLS objects, then press Enter. 


You must convert your old licensing data to NLS objects to install 
BorderManager. If you have a large NDS tree, this conversion might take 
some time. 
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14. 


15. 


16. 


17. 


Log in to the NDS tree with a fully distinguished name, enter your 
password, then press Enter. 


Administrative rights are required to make modifications to the NDS 
schema. You must have administrative rights at the root of the NDS tree 
or the security equivalent. This requirement applies to any user who is a 
trustee with Supervisor rights at a container at the same level as the 
server. 


Select Yes and press Enter to perform the schema modifications. 


You must modify the schema to install BorderManager. If you have a 
large NDS tree, these modifications might take some time. 


Select Yes and press Enter to remove the old NLS schema extensions. 


At the NLS Setup Complete message, press Enter. 


Configuring TCP/IP 


You must have TCP/IP bound and configured to install the Novell® 
BorderManager™ software. You can download the most recent version of 
TCPIP.NLM from the Novell Technical Support Web site. There are currently 
three versions of the TCPIP.NLM: 


A version for NetWare® servers without BorderManager Enterprise 
Edition 3.x installed 


A version for NetWare servers with the 56-bit encryption version of 
BorderManager Enterprise Edition 3.x installed 





A version for NetWare servers with the 128-bit encryption version of 
BorderManager Enterprise Edition 3.x installed 


Make sure you get the appropriate version required for the server on which you 
will be installing TCP/IP. 


To verify that TCP/IP is configured on your server, complete the following 


steps: 


1. 
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At the server console prompt, enter 


CONFIG 


2. 


Loading TCP/IP 


Review the list for TCP/IP protocol configuration. 


If TCP/IP is not configured, continue with “Loading TCP/IP” on 
page 151. 


To load TCP/IP, complete the following steps: 


1. 


11. 


12. 


At the NetWare® server console prompt, enter 
LOAD INETCFG 


To transfer the LAN driver, protocol, and remote access commands, 
select Yes. 


From the Internetworking Configuration menu, select Protocols > 
TCP/IP. 


Highlight TCP/IP Status and press Enter. 
Select Enabled and press Enter. 


To return to the Internetworking Configuration menu, press Esc 
twice. 


From the Internetworking Configuration menu, select Bindings. 
Press Ins and select TCP/IP. 


From the list of configured network interfaces, select the network 
board to which TCP/IP will bind. 


Enter your local IP address and subnet mask. 
To update the TCP/IP configuration, press Esc and select Yes. 
To reinitialize the system, enter the following at the server console: 


REINITIALIZE SYSTEM 
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13. To verify that TCP/IP is configured successfully, enter the following 
at the server console: 


CONFIG 
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Installing License Certificates 


This appendix provides instructions for licensing the Novell® 
BorderManager™ software on your NetWare® server using the License Install 
utility or NetWare Administrator. You can use these procedures to install an 
initial license, install an evaluation license, or install a new license over an 
expired license. If you do not have a valid or trial license installed, 
BorderManager will not load. This appendix contains the following sections: 


N “Using the License Install Utility” on page 153 
N “Using NetWare Administrator” on page 154 


Master License Agreement (MLA), Corporate License Agreement (CLA), and 
Volume License Agreement (VLA) licenses are not assigned to a specific 
server. Therefore, they can be used by multiple servers in the same tree and 
need to be installed only once. Other license types, including trial licenses, 
must be installed and assigned to individual servers. If you use the License 
Install utility, the server license assignment is made automatically. If you use 
NetWare Administrator, you must make the server license assignments 
manually. Using the License Install utility is the preferred method. 


Using the License Install Utility 


When you use this utility to install licenses, the licenses are automatically 
assigned to the server from which you run the utility. This is the preferred 
method. 


To install licenses at the server console using the License Install utility, 
complete the following steps: 


1. At the server console, enter 


LOAD LICINST 
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Log in to the Novell® BorderManager™ server with administrative 
rights. 


Enter the path to the license envelope (for example, A:\ if your 
license is on a diskette). 


Select the license envelope containing the licenses. 


Press Enter. 


A summary window displays the licenses installed. 


Press Esc twice and select Yes to exit the utility. 


Using NetWare Administrator 


When you use NetWare® Administrator to install licenses, you must manually 
assign each license to the server. 


To install licenses using NetWare Administrator, complete the following steps: 


1. 
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From an administrator workstation, log in to the Novell® 
BorderManager™ server with administrative rights. 


Map a drive to the SYS: volume of the BorderManager server and 
run NetWare Administrator. 


Select the BorderManager server on which you want to install 
licenses. 


From the Tools menu, select Install Licenses > Install Envelope. 


Enter the path to the license envelope (for example, A:\ if your 
license is on a diskette), or click Browse to locate the license envelope. 


Select the license envelope containing the licenses. 
Select the license certificates to install. 


Confirm the context field in which to install the licenses. Modify this 
field if necessary. 


10. 


11. 


12. 


Review the envelope description and click OK. 


A summary report of successfully installed licenses is displayed. 


Select Close, then exit and restart NetWare Administrator to refresh 
the license view. 


To assign the license to an individual server, complete the following 
substeps if your license is not an MLA, CLA, or VLA: 


lla. 


11b. 


lic. 


lid. 


lle. 


Double-click the license container you installed. 


The license certificate is displayed. 


Double-click the license certificate, then select Details > 
Assignments. 


Click Browse to locate the BorderManager server on which to 
install the license certificate, select the server, then click Add. 


Select the context containing the BorderManager server, then 
click OK. 


Repeat Step 11a through Step 11d for each license certificate 
you want to install. 


Exit NetWare Administrator. 
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